Analysis
-
max time kernel
28s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe
Resource
win7-20241023-en
General
-
Target
ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe
-
Size
1.1MB
-
MD5
1c3698bbc99f0bea453d76b58d12ba20
-
SHA1
3dafb852d25011923f7d02678acb57a19193e1d6
-
SHA256
ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63b
-
SHA512
cd6e5c19d0a173570ed81cf1e54f9f7d1364d1e2f1750fa83d9a4e20c89f7129ebccf8e7a66b05f94ff54fb9c5836ebea9373cd300c72a5a96d36467d56c4653
-
SSDEEP
24576:W1/aGLDCM4D8ayGMCPnXo8/4gflI2d+JdjyS:FD8ayGM0XoQr2jyS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" omjcq.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" omjcq.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omjcq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" omjcq.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" omjcq.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 4508 omjcq.exe -
Executes dropped EXE 1 IoCs
pid Process 4508 omjcq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" omjcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc omjcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" omjcq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\omjcq.exe" omjcq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omjcq.exe -
resource yara_rule behavioral2/memory/404-3-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-7-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-4-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-8-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-10-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-1-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-9-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-13-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-25-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-15-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/404-14-0x0000000002650000-0x00000000036DE000-memory.dmp upx behavioral2/memory/4508-73-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-68-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-77-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-76-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-75-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-71-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-70-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-74-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-72-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-92-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-93-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-114-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-115-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-149-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-153-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-154-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-187-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-191-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-195-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-232-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-236-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-238-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-272-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-273-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-282-0x0000000002620000-0x00000000036AE000-memory.dmp upx behavioral2/memory/4508-283-0x0000000002620000-0x00000000036AE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omjcq.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 4508 omjcq.exe 4508 omjcq.exe 4508 omjcq.exe 4508 omjcq.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Token: SeDebugPrivilege 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 404 wrote to memory of 788 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 8 PID 404 wrote to memory of 796 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 9 PID 404 wrote to memory of 332 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 13 PID 404 wrote to memory of 2556 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 42 PID 404 wrote to memory of 2572 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 43 PID 404 wrote to memory of 2668 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 46 PID 404 wrote to memory of 3380 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 56 PID 404 wrote to memory of 3548 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 57 PID 404 wrote to memory of 3756 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 58 PID 404 wrote to memory of 3856 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 59 PID 404 wrote to memory of 3916 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 60 PID 404 wrote to memory of 4008 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 61 PID 404 wrote to memory of 3544 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 62 PID 404 wrote to memory of 2248 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 74 PID 404 wrote to memory of 4452 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 76 PID 404 wrote to memory of 4508 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 82 PID 404 wrote to memory of 4508 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 82 PID 404 wrote to memory of 4508 404 ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe 82 PID 4508 wrote to memory of 788 4508 omjcq.exe 8 PID 4508 wrote to memory of 796 4508 omjcq.exe 9 PID 4508 wrote to memory of 332 4508 omjcq.exe 13 PID 4508 wrote to memory of 2556 4508 omjcq.exe 42 PID 4508 wrote to memory of 2572 4508 omjcq.exe 43 PID 4508 wrote to memory of 2668 4508 omjcq.exe 46 PID 4508 wrote to memory of 3380 4508 omjcq.exe 56 PID 4508 wrote to memory of 3548 4508 omjcq.exe 57 PID 4508 wrote to memory of 3756 4508 omjcq.exe 58 PID 4508 wrote to memory of 3856 4508 omjcq.exe 59 PID 4508 wrote to memory of 3916 4508 omjcq.exe 60 PID 4508 wrote to memory of 4008 4508 omjcq.exe 61 PID 4508 wrote to memory of 3544 4508 omjcq.exe 62 PID 4508 wrote to memory of 2248 4508 omjcq.exe 74 PID 4508 wrote to memory of 4452 4508 omjcq.exe 76 PID 4508 wrote to memory of 788 4508 omjcq.exe 8 PID 4508 wrote to memory of 796 4508 omjcq.exe 9 PID 4508 wrote to memory of 332 4508 omjcq.exe 13 PID 4508 wrote to memory of 2556 4508 omjcq.exe 42 PID 4508 wrote to memory of 2572 4508 omjcq.exe 43 PID 4508 wrote to memory of 2668 4508 omjcq.exe 46 PID 4508 wrote to memory of 3380 4508 omjcq.exe 56 PID 4508 wrote to memory of 3548 4508 omjcq.exe 57 PID 4508 wrote to memory of 3756 4508 omjcq.exe 58 PID 4508 wrote to memory of 3856 4508 omjcq.exe 59 PID 4508 wrote to memory of 3916 4508 omjcq.exe 60 PID 4508 wrote to memory of 4008 4508 omjcq.exe 61 PID 4508 wrote to memory of 3544 4508 omjcq.exe 62 PID 4508 wrote to memory of 2248 4508 omjcq.exe 74 PID 4508 wrote to memory of 4452 4508 omjcq.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omjcq.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2668
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe"C:\Users\Admin\AppData\Local\Temp\ce8c532ddb51155f91b23426c990269d277bb28bfc99273a0077e136459ce63bN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:404 -
C:\ProgramData\omjcq.exe"C:\ProgramData\omjcq.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4508
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d13d080b67ac4d4d5513b5d918e39d5f
SHA168cec90c289f52c8642a1ce183b1091f58671c85
SHA256624bd10ba2a87a71724158b23d1acd3de685f6195cd3db1e0b0d0fad4ebaf258
SHA5126fb07cdac8a3dbd28d5aedfb5052018156ba55a53cbe7923ea0a42a29e2202cc4d2c257ddeaccbcf1798d56ac0607b96f7336cc91ce27524bebd8d38e993d92f
-
Filesize
557KB
MD56f1656028d98fceaa83d9b6f8cc5459d
SHA17f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA2562121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e
-
Filesize
522KB
MD5489b4d6190a0d56a36713b930ee42ca1
SHA1ce3255fe0aca14e25cef6db98b760bcd85db6e3b
SHA25606c92dd720be6edf146bd3425fdf83efe29055419f1594131299ede2563c9f14
SHA5120b4aafdfd9f5ac5cfa62d3c75a4a87e36dbb1b2c83a4f293d2da306180e3187ebfe12d1be0108af20b362b3919a0f41c41377779abd49d988fba40d9b1c4d6db
-
Filesize
257B
MD50b83fff1cbb274d001f35a9399391d89
SHA14a4b11d6bb8777ca36e0170786e43358c2999ddb
SHA256729076780f0fb47f74ecf2400c2a749ef4551033bf2615e4c5dc958400445b9b
SHA5129e2c59ebfff7981f7ac2e7be9c40260d7f9e05f104c475e9471e67ef1607abadfcdfa94d5f2c36951e8494d134dea49002bf2d40800bc6d8b71f455e4f434546