Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
120 seconds
General
-
Target
c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe
-
Size
144KB
-
MD5
2b83eefe033c91f6770bac6cba53e485
-
SHA1
025555ce121d02a55d0ed2e67e0035d7c7eded2f
-
SHA256
c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845
-
SHA512
dbdd8ac52dfb02d358b761aebb7f792acab79a586caa770f69303e66eb494dabc36dc5ea29b6c2f71f58412fcd9f3e628fb1005910538c601acd96af93734a76
-
SSDEEP
3072:OZu2Vgc0B4TBTiEhL3s3YascgZaTt7cfGQzpzvSOu:OZX6WNOEtQYagUtAfGQzRK
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\Q: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\R: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\S: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\V: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\T: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\U: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\X: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\E: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\J: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\L: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\M: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\P: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\G: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\K: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\N: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\O: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\H: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\I: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\W: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened (read-only) \??\Y: c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification F:\autorun.inf c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
resource yara_rule behavioral2/memory/864-3-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-5-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-9-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-10-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-14-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-11-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-8-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-4-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-15-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-17-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-16-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-18-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-19-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-20-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-26-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-27-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-28-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-30-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-31-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-34-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-36-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-39-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-41-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-43-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-44-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-47-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-48-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-49-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-52-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-55-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-57-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-58-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-60-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-63-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-64-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-65-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-72-0x00000000027D0000-0x000000000385E000-memory.dmp upx behavioral2/memory/864-73-0x00000000027D0000-0x000000000385E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe Token: SeDebugPrivilege 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 780 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 8 PID 864 wrote to memory of 788 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 9 PID 864 wrote to memory of 60 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 13 PID 864 wrote to memory of 2880 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 49 PID 864 wrote to memory of 2888 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 50 PID 864 wrote to memory of 3008 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 51 PID 864 wrote to memory of 3440 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 56 PID 864 wrote to memory of 3568 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 57 PID 864 wrote to memory of 3752 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 58 PID 864 wrote to memory of 3840 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 59 PID 864 wrote to memory of 3908 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 60 PID 864 wrote to memory of 3992 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 61 PID 864 wrote to memory of 4144 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 62 PID 864 wrote to memory of 3372 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 75 PID 864 wrote to memory of 3424 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 76 PID 864 wrote to memory of 3828 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 82 PID 864 wrote to memory of 3828 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 82 PID 864 wrote to memory of 3828 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 82 PID 864 wrote to memory of 4544 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 84 PID 864 wrote to memory of 4544 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 84 PID 864 wrote to memory of 4544 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 84 PID 864 wrote to memory of 780 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 8 PID 864 wrote to memory of 788 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 9 PID 864 wrote to memory of 60 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 13 PID 864 wrote to memory of 2880 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 49 PID 864 wrote to memory of 2888 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 50 PID 864 wrote to memory of 3008 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 51 PID 864 wrote to memory of 3440 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 56 PID 864 wrote to memory of 3568 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 57 PID 864 wrote to memory of 3752 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 58 PID 864 wrote to memory of 3840 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 59 PID 864 wrote to memory of 3908 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 60 PID 864 wrote to memory of 3992 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 61 PID 864 wrote to memory of 4144 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 62 PID 864 wrote to memory of 3372 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 75 PID 864 wrote to memory of 3424 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 76 PID 864 wrote to memory of 4544 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 84 PID 864 wrote to memory of 4544 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 84 PID 864 wrote to memory of 780 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 8 PID 864 wrote to memory of 788 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 9 PID 864 wrote to memory of 60 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 13 PID 864 wrote to memory of 2880 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 49 PID 864 wrote to memory of 2888 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 50 PID 864 wrote to memory of 3008 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 51 PID 864 wrote to memory of 3440 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 56 PID 864 wrote to memory of 3568 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 57 PID 864 wrote to memory of 3752 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 58 PID 864 wrote to memory of 3840 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 59 PID 864 wrote to memory of 3908 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 60 PID 864 wrote to memory of 3992 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 61 PID 864 wrote to memory of 4144 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 62 PID 864 wrote to memory of 3372 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 75 PID 864 wrote to memory of 3424 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 76 PID 864 wrote to memory of 780 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 8 PID 864 wrote to memory of 788 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 9 PID 864 wrote to memory of 60 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 13 PID 864 wrote to memory of 2880 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 49 PID 864 wrote to memory of 2888 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 50 PID 864 wrote to memory of 3008 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 51 PID 864 wrote to memory of 3440 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 56 PID 864 wrote to memory of 3568 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 57 PID 864 wrote to memory of 3752 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 58 PID 864 wrote to memory of 3840 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 59 PID 864 wrote to memory of 3908 864 c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe 60 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2888
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe"C:\Users\Admin\AppData\Local\Temp\c1a282b8f3666a7b2b1ed31110705e7fd9164cb0ccd8315c6da32d11bc981845.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Tools\init.cmd "C:\Users\Admin\AppData\Local\Temp\bin\Tools\run.hta"3⤵
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\bin\Tools\run.hta"3⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5ed0a3744a2994dac587d84e97addb736
SHA188bce77e29bc725737279859197da8a2c3f6076d
SHA2569b9d2c6a4e421831a9d31031d988e7f5f089f7e56001bd5eb8ee953c88ad3859
SHA512d6cdb3db70afe9c2a27a6e28e381d885558e03440beaddbf91272488ce73934f427c6837ecffb613bf6fdb49fed3d03640e92277bbdd4bf522a350c99c9726ba