Analysis
-
max time kernel
22s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:25
Static task
static1
Behavioral task
behavioral1
Sample
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe
Resource
win7-20240708-en
General
-
Target
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe
-
Size
1.1MB
-
MD5
b2aec7ae0a095e59c8b98f9530302032
-
SHA1
6007183f50375304a1465fd71cdb6d5dfd667209
-
SHA256
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6
-
SHA512
8226b09709b5744826bc6b57a07065952bf7e2af6687d330e3105c78f3d647b6da1def3afe453c7308de4304b64edc7b17842f26847f6887664c8b4222915147
-
SSDEEP
24576:W1/aGLDCM4D8ayGMCPnXo8/4gflI2d+JdjyW:FD8ayGM0XoQr2jyW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" buchxa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" buchxa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" buchxa.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" buchxa.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" buchxa.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2340 buchxa.exe -
Executes dropped EXE 1 IoCs
pid Process 2340 buchxa.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" buchxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" buchxa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" buchxa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\buchxa.exe" buchxa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" buchxa.exe -
resource yara_rule behavioral2/memory/1780-1-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-3-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-7-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-6-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-12-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-13-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-10-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-15-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-24-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-5-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/1780-4-0x0000000002610000-0x000000000369E000-memory.dmp upx behavioral2/memory/2340-132-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-128-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-133-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-130-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-134-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-131-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-137-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-136-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-135-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-138-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-144-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-143-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-175-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-176-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-180-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-215-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-216-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-221-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-222-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-256-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-257-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-262-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-266-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-269-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-305-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-307-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-309-0x0000000002640000-0x00000000036CE000-memory.dmp upx behavioral2/memory/2340-341-0x0000000002640000-0x00000000036CE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language buchxa.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 2340 buchxa.exe 2340 buchxa.exe 2340 buchxa.exe 2340 buchxa.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1780 wrote to memory of 776 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 8 PID 1780 wrote to memory of 780 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 9 PID 1780 wrote to memory of 336 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 13 PID 1780 wrote to memory of 2648 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 44 PID 1780 wrote to memory of 2660 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 45 PID 1780 wrote to memory of 2892 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 51 PID 1780 wrote to memory of 3424 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 56 PID 1780 wrote to memory of 3544 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 57 PID 1780 wrote to memory of 3732 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 58 PID 1780 wrote to memory of 3824 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 59 PID 1780 wrote to memory of 3884 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 60 PID 1780 wrote to memory of 3964 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 61 PID 1780 wrote to memory of 4132 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 62 PID 1780 wrote to memory of 4956 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 74 PID 1780 wrote to memory of 4844 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 76 PID 1780 wrote to memory of 2340 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 1780 wrote to memory of 2340 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 1780 wrote to memory of 2340 1780 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 2340 wrote to memory of 776 2340 buchxa.exe 8 PID 2340 wrote to memory of 780 2340 buchxa.exe 9 PID 2340 wrote to memory of 336 2340 buchxa.exe 13 PID 2340 wrote to memory of 2648 2340 buchxa.exe 44 PID 2340 wrote to memory of 2660 2340 buchxa.exe 45 PID 2340 wrote to memory of 2892 2340 buchxa.exe 51 PID 2340 wrote to memory of 3424 2340 buchxa.exe 56 PID 2340 wrote to memory of 3544 2340 buchxa.exe 57 PID 2340 wrote to memory of 3732 2340 buchxa.exe 58 PID 2340 wrote to memory of 3824 2340 buchxa.exe 59 PID 2340 wrote to memory of 3884 2340 buchxa.exe 60 PID 2340 wrote to memory of 3964 2340 buchxa.exe 61 PID 2340 wrote to memory of 4132 2340 buchxa.exe 62 PID 2340 wrote to memory of 4956 2340 buchxa.exe 74 PID 2340 wrote to memory of 4844 2340 buchxa.exe 76 PID 2340 wrote to memory of 776 2340 buchxa.exe 8 PID 2340 wrote to memory of 780 2340 buchxa.exe 9 PID 2340 wrote to memory of 336 2340 buchxa.exe 13 PID 2340 wrote to memory of 2648 2340 buchxa.exe 44 PID 2340 wrote to memory of 2660 2340 buchxa.exe 45 PID 2340 wrote to memory of 2892 2340 buchxa.exe 51 PID 2340 wrote to memory of 3424 2340 buchxa.exe 56 PID 2340 wrote to memory of 3544 2340 buchxa.exe 57 PID 2340 wrote to memory of 3732 2340 buchxa.exe 58 PID 2340 wrote to memory of 3824 2340 buchxa.exe 59 PID 2340 wrote to memory of 3884 2340 buchxa.exe 60 PID 2340 wrote to memory of 3964 2340 buchxa.exe 61 PID 2340 wrote to memory of 4132 2340 buchxa.exe 62 PID 2340 wrote to memory of 4956 2340 buchxa.exe 74 PID 2340 wrote to memory of 4844 2340 buchxa.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" buchxa.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe"C:\Users\Admin\AppData\Local\Temp\e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780 -
C:\ProgramData\buchxa.exe"C:\ProgramData\buchxa.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3544
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51938e2a2b51a5cedbc9d39ace65b6dc8
SHA1371721098abad9f8bc0806ed276937aecba3b1c8
SHA2569583ad1c5311bf46c6f666fc48c3f6f3eec5b028b396685855f4402c8639e1f9
SHA512c7698fce37667b389607095d895dae9f20811e55c6d78d8e1dcc5adc96a85c9b3717a89a6f1d8771626c65734987e75d5a64a023808f085b057fd98a281f4fac
-
Filesize
557KB
MD56f1656028d98fceaa83d9b6f8cc5459d
SHA17f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA2562121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e
-
Filesize
522KB
MD5318d4f757e922729439b606c56c46021
SHA185b2be3c4b7a0dd0e75fd85af99b4c0e0cbdf8d9
SHA25614229717397fe1d55655578a1228f4bdcd7a340c3df458ebd9749f2d2fa76ccf
SHA51214904938961760a5682814f821fa57402e4db879d5d79f1ba08a211f2b6df9c58c3d3d275e63460b94012ff1b95f7f23e5de6a469829433fb44cf932c200953c
-
Filesize
257B
MD5c275db4e6434e0a2ffcb7e4a2ce918aa
SHA1faa5d0cc27b7c324ab0de7f74e34e61d3aa49624
SHA256f456d753ccdec50d7e6ff4a00e7762b12e89557f939e90041f5d7382936095a1
SHA51288c79bb3f531f7dac790d04839ddcc30a78995754cefc0bb78f866d64447a1617a7871076e44c4f983c9249be0646cc844920d81f96d5f37faa9f12ce0faab63