Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 02:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
120 seconds
General
-
Target
260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe
-
Size
97KB
-
MD5
9bddf6ec69a9081b94365b9cee904b10
-
SHA1
74427f9b609f67ac096587aa4ebbfcccad7f4ef8
-
SHA256
260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271
-
SHA512
e0e810722d0196c0a3aa576a1adaf1411541876259996951c7da33a6f38852e5b477d2c0a6bd0ed80d6acb83cbc73cd7ed0841e9c2d79a0ce2295818a4368439
-
SSDEEP
3072:xSUti6Rj6Yxq2hb/uxehD8EEjsYHjxQd:xN0YQeuxCDrYDG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\O: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\Q: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\R: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\U: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\G: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\P: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\W: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\Y: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\Z: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\N: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\K: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\T: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\E: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\I: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\J: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\L: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\S: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\V: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\X: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened (read-only) \??\H: 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification F:\autorun.inf 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
resource yara_rule behavioral2/memory/3136-3-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-5-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-1-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-4-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-15-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-16-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-7-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-19-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-14-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-22-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-23-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-24-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-25-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-26-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-28-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-30-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-34-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-37-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-38-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-45-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-47-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-48-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-50-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-51-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-52-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-55-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-62-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-68-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-69-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-70-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-72-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-74-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3136-79-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Program Files\7-Zip\7z.exe 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e579e05 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe File opened for modification C:\Windows\SYSTEM.INI 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe Token: SeDebugPrivilege 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 760 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 8 PID 3136 wrote to memory of 764 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 9 PID 3136 wrote to memory of 64 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 13 PID 3136 wrote to memory of 3048 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 51 PID 3136 wrote to memory of 2624 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 52 PID 3136 wrote to memory of 3100 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 53 PID 3136 wrote to memory of 3472 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 56 PID 3136 wrote to memory of 3588 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 57 PID 3136 wrote to memory of 3792 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 58 PID 3136 wrote to memory of 3884 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 59 PID 3136 wrote to memory of 3956 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 60 PID 3136 wrote to memory of 4052 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 61 PID 3136 wrote to memory of 4212 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 62 PID 3136 wrote to memory of 4732 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 75 PID 3136 wrote to memory of 3744 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 76 PID 3136 wrote to memory of 3808 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 81 PID 3136 wrote to memory of 760 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 8 PID 3136 wrote to memory of 764 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 9 PID 3136 wrote to memory of 64 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 13 PID 3136 wrote to memory of 3048 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 51 PID 3136 wrote to memory of 2624 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 52 PID 3136 wrote to memory of 3100 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 53 PID 3136 wrote to memory of 3472 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 56 PID 3136 wrote to memory of 3588 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 57 PID 3136 wrote to memory of 3792 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 58 PID 3136 wrote to memory of 3884 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 59 PID 3136 wrote to memory of 3956 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 60 PID 3136 wrote to memory of 4052 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 61 PID 3136 wrote to memory of 4212 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 62 PID 3136 wrote to memory of 4732 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 75 PID 3136 wrote to memory of 3744 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 76 PID 3136 wrote to memory of 760 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 8 PID 3136 wrote to memory of 764 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 9 PID 3136 wrote to memory of 64 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 13 PID 3136 wrote to memory of 3048 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 51 PID 3136 wrote to memory of 2624 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 52 PID 3136 wrote to memory of 3100 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 53 PID 3136 wrote to memory of 3472 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 56 PID 3136 wrote to memory of 3588 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 57 PID 3136 wrote to memory of 3792 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 58 PID 3136 wrote to memory of 3884 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 59 PID 3136 wrote to memory of 3956 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 60 PID 3136 wrote to memory of 4052 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 61 PID 3136 wrote to memory of 4212 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 62 PID 3136 wrote to memory of 4732 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 75 PID 3136 wrote to memory of 3744 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 76 PID 3136 wrote to memory of 760 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 8 PID 3136 wrote to memory of 764 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 9 PID 3136 wrote to memory of 64 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 13 PID 3136 wrote to memory of 3048 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 51 PID 3136 wrote to memory of 2624 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 52 PID 3136 wrote to memory of 3100 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 53 PID 3136 wrote to memory of 3472 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 56 PID 3136 wrote to memory of 3588 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 57 PID 3136 wrote to memory of 3792 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 58 PID 3136 wrote to memory of 3884 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 59 PID 3136 wrote to memory of 3956 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 60 PID 3136 wrote to memory of 4052 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 61 PID 3136 wrote to memory of 4212 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 62 PID 3136 wrote to memory of 4732 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 75 PID 3136 wrote to memory of 3744 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 76 PID 3136 wrote to memory of 760 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 8 PID 3136 wrote to memory of 764 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 9 PID 3136 wrote to memory of 64 3136 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2624
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe"C:\Users\Admin\AppData\Local\Temp\260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3136
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3956
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4212
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3744
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3808
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e8a978c510606e105f7fd4eb37144781
SHA18f23bdbfbd5502c1e07534dcab8559f1dff64f4c
SHA256f722198422f6a16c565fdfb5b6d88fe697a7ba00205c1e60d0c708c21fe3e26d
SHA5123f701602b9038e1621f6dff5824a5a8cd4d61570cd3f2fda4c578478639d4edcc72f828352496cdb708a2ef0dadb51c3854a20bcbb5cb3ec584cc45831f444e1