Analysis
-
max time kernel
117s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe
Resource
win7-20241010-en
windows7-x64
19 signatures
120 seconds
General
-
Target
322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe
-
Size
100KB
-
MD5
5aeab8e067a7af336f06d44921ee43db
-
SHA1
1c6bfc0f3a6435df8bb62ebbe29a2e65b61a12eb
-
SHA256
322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00
-
SHA512
86b531508f39c67336cf27ea31275759b04c7e2650ef882194ee0bb2ae511dd1d37cfbb625ce474f3c216bb1747ec46af2875862c7a7f6325bad7b4bedee9ebe
-
SSDEEP
1536:h6wEd6F5g+1vRZWjJUW/ONgTVHMY6F/HWXxViY/qc1zlHXk/j:h6aP3RZWWW/OgVslF/HWBt1G
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\I: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\K: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\Q: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\Y: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\L: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\N: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\X: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\G: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\J: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\O: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\P: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\S: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\Z: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\W: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\E: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\M: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\R: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\T: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\U: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened (read-only) \??\V: 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification F:\autorun.inf 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
resource yara_rule behavioral2/memory/4864-1-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-4-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-5-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-7-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-6-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-8-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-3-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-14-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-13-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-15-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-17-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-16-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-18-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-19-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-20-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-22-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-23-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-24-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-25-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-29-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-30-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-32-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-35-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-36-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-40-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-46-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-49-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-51-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-52-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-53-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-56-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-58-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-60-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-61-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-62-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-65-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-66-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4864-68-0x00000000022D0000-0x000000000335E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe Token: SeDebugPrivilege 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 772 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 8 PID 4864 wrote to memory of 788 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 10 PID 4864 wrote to memory of 1020 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 13 PID 4864 wrote to memory of 2640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 44 PID 4864 wrote to memory of 2656 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 45 PID 4864 wrote to memory of 2804 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 49 PID 4864 wrote to memory of 3528 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 56 PID 4864 wrote to memory of 3640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 57 PID 4864 wrote to memory of 3828 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 58 PID 4864 wrote to memory of 3916 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 59 PID 4864 wrote to memory of 3980 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 60 PID 4864 wrote to memory of 4080 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 61 PID 4864 wrote to memory of 3184 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 62 PID 4864 wrote to memory of 3748 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 75 PID 4864 wrote to memory of 3612 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 76 PID 4864 wrote to memory of 2012 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 77 PID 4864 wrote to memory of 5016 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 78 PID 4864 wrote to memory of 4204 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 83 PID 4864 wrote to memory of 772 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 8 PID 4864 wrote to memory of 788 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 10 PID 4864 wrote to memory of 1020 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 13 PID 4864 wrote to memory of 2640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 44 PID 4864 wrote to memory of 2656 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 45 PID 4864 wrote to memory of 2804 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 49 PID 4864 wrote to memory of 3528 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 56 PID 4864 wrote to memory of 3640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 57 PID 4864 wrote to memory of 3828 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 58 PID 4864 wrote to memory of 3916 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 59 PID 4864 wrote to memory of 3980 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 60 PID 4864 wrote to memory of 4080 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 61 PID 4864 wrote to memory of 3184 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 62 PID 4864 wrote to memory of 3748 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 75 PID 4864 wrote to memory of 3612 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 76 PID 4864 wrote to memory of 2012 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 77 PID 4864 wrote to memory of 5016 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 78 PID 4864 wrote to memory of 4204 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 83 PID 4864 wrote to memory of 772 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 8 PID 4864 wrote to memory of 788 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 10 PID 4864 wrote to memory of 1020 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 13 PID 4864 wrote to memory of 2640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 44 PID 4864 wrote to memory of 2656 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 45 PID 4864 wrote to memory of 2804 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 49 PID 4864 wrote to memory of 3528 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 56 PID 4864 wrote to memory of 3640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 57 PID 4864 wrote to memory of 3828 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 58 PID 4864 wrote to memory of 3916 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 59 PID 4864 wrote to memory of 3980 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 60 PID 4864 wrote to memory of 4080 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 61 PID 4864 wrote to memory of 3184 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 62 PID 4864 wrote to memory of 3748 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 75 PID 4864 wrote to memory of 3612 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 76 PID 4864 wrote to memory of 772 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 8 PID 4864 wrote to memory of 788 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 10 PID 4864 wrote to memory of 1020 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 13 PID 4864 wrote to memory of 2640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 44 PID 4864 wrote to memory of 2656 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 45 PID 4864 wrote to memory of 2804 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 49 PID 4864 wrote to memory of 3528 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 56 PID 4864 wrote to memory of 3640 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 57 PID 4864 wrote to memory of 3828 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 58 PID 4864 wrote to memory of 3916 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 59 PID 4864 wrote to memory of 3980 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 60 PID 4864 wrote to memory of 4080 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 61 PID 4864 wrote to memory of 3184 4864 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe 62 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2804
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe"C:\Users\Admin\AppData\Local\Temp\322891dc707488058036c5255dcabefe39527fa93d09c2331d6392d6499efd00.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3980
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3184
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3748
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5016
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51cc44f03200860d800b79f03bdbeff99
SHA174891786d6be17e0832daf831e55c83c811254ed
SHA25646df73d5ec661664ff83e7eb1b15c599c53d74b66c06ae6712a67e1696ffd6bd
SHA5128735f8e9168af8443fdc39564c45f360bd9a794d2c7004fae3312d8d6252b74a04e35bed1cb214cdf828030cb47d05db7eb133fb53cce50a34ac04f26384dc40