Analysis
-
max time kernel
32s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe
Resource
win7-20240903-en
General
-
Target
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe
-
Size
1.1MB
-
MD5
b2aec7ae0a095e59c8b98f9530302032
-
SHA1
6007183f50375304a1465fd71cdb6d5dfd667209
-
SHA256
e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6
-
SHA512
8226b09709b5744826bc6b57a07065952bf7e2af6687d330e3105c78f3d647b6da1def3afe453c7308de4304b64edc7b17842f26847f6887664c8b4222915147
-
SSDEEP
24576:W1/aGLDCM4D8ayGMCPnXo8/4gflI2d+JdjyW:FD8ayGM0XoQr2jyW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" clxnp.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" clxnp.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" clxnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" clxnp.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" clxnp.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 912 clxnp.exe -
Executes dropped EXE 1 IoCs
pid Process 912 clxnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" clxnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" clxnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" clxnp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\clxnp.exe" clxnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" clxnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
resource yara_rule behavioral2/memory/3440-4-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-9-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-3-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-8-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-5-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-11-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-13-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-15-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-22-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/3440-14-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral2/memory/912-71-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-75-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-77-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-74-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-69-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-68-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-67-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-70-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-65-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-84-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-83-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-85-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-116-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-155-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-151-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-157-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-192-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-196-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-202-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-233-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-237-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-241-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-245-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-278-0x0000000002790000-0x000000000381E000-memory.dmp upx behavioral2/memory/912-282-0x0000000002790000-0x000000000381E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clxnp.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 912 clxnp.exe 912 clxnp.exe 912 clxnp.exe 912 clxnp.exe 912 clxnp.exe 912 clxnp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Token: SeDebugPrivilege 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3440 wrote to memory of 776 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 8 PID 3440 wrote to memory of 780 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 9 PID 3440 wrote to memory of 316 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 13 PID 3440 wrote to memory of 2972 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 50 PID 3440 wrote to memory of 3060 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 51 PID 3440 wrote to memory of 672 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 52 PID 3440 wrote to memory of 3396 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 56 PID 3440 wrote to memory of 3536 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 57 PID 3440 wrote to memory of 3732 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 58 PID 3440 wrote to memory of 3820 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 59 PID 3440 wrote to memory of 3888 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 60 PID 3440 wrote to memory of 3968 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 61 PID 3440 wrote to memory of 3480 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 62 PID 3440 wrote to memory of 5108 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 64 PID 3440 wrote to memory of 1192 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 75 PID 3440 wrote to memory of 912 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 3440 wrote to memory of 912 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 3440 wrote to memory of 912 3440 e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe 82 PID 912 wrote to memory of 776 912 clxnp.exe 8 PID 912 wrote to memory of 780 912 clxnp.exe 9 PID 912 wrote to memory of 316 912 clxnp.exe 13 PID 912 wrote to memory of 2972 912 clxnp.exe 50 PID 912 wrote to memory of 3060 912 clxnp.exe 51 PID 912 wrote to memory of 672 912 clxnp.exe 52 PID 912 wrote to memory of 3396 912 clxnp.exe 56 PID 912 wrote to memory of 3536 912 clxnp.exe 57 PID 912 wrote to memory of 3732 912 clxnp.exe 58 PID 912 wrote to memory of 3820 912 clxnp.exe 59 PID 912 wrote to memory of 3888 912 clxnp.exe 60 PID 912 wrote to memory of 3968 912 clxnp.exe 61 PID 912 wrote to memory of 3480 912 clxnp.exe 62 PID 912 wrote to memory of 5108 912 clxnp.exe 64 PID 912 wrote to memory of 1192 912 clxnp.exe 75 PID 912 wrote to memory of 776 912 clxnp.exe 8 PID 912 wrote to memory of 780 912 clxnp.exe 9 PID 912 wrote to memory of 316 912 clxnp.exe 13 PID 912 wrote to memory of 2972 912 clxnp.exe 50 PID 912 wrote to memory of 3060 912 clxnp.exe 51 PID 912 wrote to memory of 672 912 clxnp.exe 52 PID 912 wrote to memory of 3396 912 clxnp.exe 56 PID 912 wrote to memory of 3536 912 clxnp.exe 57 PID 912 wrote to memory of 3732 912 clxnp.exe 58 PID 912 wrote to memory of 3820 912 clxnp.exe 59 PID 912 wrote to memory of 3888 912 clxnp.exe 60 PID 912 wrote to memory of 3968 912 clxnp.exe 61 PID 912 wrote to memory of 3480 912 clxnp.exe 62 PID 912 wrote to memory of 5108 912 clxnp.exe 64 PID 912 wrote to memory of 1192 912 clxnp.exe 75 PID 912 wrote to memory of 776 912 clxnp.exe 8 PID 912 wrote to memory of 780 912 clxnp.exe 9 PID 912 wrote to memory of 316 912 clxnp.exe 13 PID 912 wrote to memory of 2972 912 clxnp.exe 50 PID 912 wrote to memory of 3060 912 clxnp.exe 51 PID 912 wrote to memory of 672 912 clxnp.exe 52 PID 912 wrote to memory of 3396 912 clxnp.exe 56 PID 912 wrote to memory of 3536 912 clxnp.exe 57 PID 912 wrote to memory of 3732 912 clxnp.exe 58 PID 912 wrote to memory of 3820 912 clxnp.exe 59 PID 912 wrote to memory of 3888 912 clxnp.exe 60 PID 912 wrote to memory of 3968 912 clxnp.exe 61 PID 912 wrote to memory of 3480 912 clxnp.exe 62 PID 912 wrote to memory of 5108 912 clxnp.exe 64 PID 912 wrote to memory of 1192 912 clxnp.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" clxnp.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3060
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe"C:\Users\Admin\AppData\Local\Temp\e40cc7939dececa4d20d83280b97728059cfc444ac9de3c0ff4d1671ab6490f6.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440 -
C:\ProgramData\clxnp.exe"C:\ProgramData\clxnp.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:912
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3732
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3480
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1192
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD506e7a542749605bb13768914c0132b4f
SHA135a26affc81cbcdfb9e980d50f8fb12be5fe7c09
SHA25632dff352207ca603f546f0008e2459575623f000c62120a98b5cff994888461d
SHA51246c200785301e1777b1a30bd178b17bec5594e2ab71f97889966135947bf80dc8dfbc3d6dc3b1e2591b44a533123ee81223fa4c3bc21a8c195377b3a5af64041
-
Filesize
557KB
MD56f1656028d98fceaa83d9b6f8cc5459d
SHA17f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA2562121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e
-
Filesize
522KB
MD5318d4f757e922729439b606c56c46021
SHA185b2be3c4b7a0dd0e75fd85af99b4c0e0cbdf8d9
SHA25614229717397fe1d55655578a1228f4bdcd7a340c3df458ebd9749f2d2fa76ccf
SHA51214904938961760a5682814f821fa57402e4db879d5d79f1ba08a211f2b6df9c58c3d3d275e63460b94012ff1b95f7f23e5de6a469829433fb44cf932c200953c
-
Filesize
257B
MD50540c2c2c4c7db7eac3c193094b0072b
SHA18fa15a025204e0dbdda69f30626f81d3172883b4
SHA256049f6a36daec00b78753f3ad36a03a5e853fe56f9badb125e4c435fc0a83e15b
SHA51244ac938b066bcf3252418e8c35b15d6eaae1f0a4a374b0869b75333e5bd8b0a491172cf3ca31d4af23e4b91d1c86bae6afa227719802911f81029b5a1e5b6838