Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-12-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe
Resource
win7-20240903-en
Errors
General
-
Target
8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe
-
Size
945KB
-
MD5
30846472b2e0b131869e066de6d065ee
-
SHA1
2c6473d66326fdb0b70d305229410d731a4dc57b
-
SHA256
8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187
-
SHA512
6621483ea840bce01867e8932594ff4890844639a6f7c1c258e95274298b90faa0f1b156978405d08567bd23c5cbc121c6e8e9a6bc8e20f2e56683478064cc4f
-
SSDEEP
24576:UvoTKUsEyEyK+LS3g9KXqKtu73aB0vlnD:UvouUPk9evtu7KqdD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2468 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Executes dropped EXE 3 IoCs
pid Process 2724 run.exe 1796 boot.exe 1580 run.exe -
Loads dropped DLL 9 IoCs
pid Process 2652 cmd.exe 2652 cmd.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 1936 cmd.exe 1936 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1620 icacls.exe 2824 icacls.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\P: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\R: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\F: boot.exe File opened (read-only) \??\E: boot.exe File opened (read-only) \??\Q: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\S: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\T: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\E: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\G: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\J: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\M: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\U: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\V: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\Y: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\Z: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\H: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\K: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\L: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\W: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\X: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\I: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\N: 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File opened (read-only) \??\D: boot.exe -
resource yara_rule behavioral1/memory/2988-1-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-6-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-8-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-12-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-9-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-11-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-7-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-5-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-4-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-10-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-33-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-32-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-34-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-35-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-36-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-38-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-39-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-41-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-42-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-47-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-46-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-75-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-76-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-79-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-82-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-84-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-115-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-116-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-119-0x0000000002030000-0x00000000030EA000-memory.dmp upx behavioral1/memory/2988-204-0x0000000002030000-0x00000000030EA000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe File created C:\Windows\f76c3eb 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language run.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language run.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeDebugPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe Token: SeShutdownPrivilege 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1116 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 19 PID 2988 wrote to memory of 1164 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 20 PID 2988 wrote to memory of 1192 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 21 PID 2988 wrote to memory of 1236 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 23 PID 2988 wrote to memory of 2716 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 31 PID 2988 wrote to memory of 2716 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 31 PID 2988 wrote to memory of 2716 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 31 PID 2988 wrote to memory of 2716 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 31 PID 2988 wrote to memory of 2652 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 32 PID 2988 wrote to memory of 2652 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 32 PID 2988 wrote to memory of 2652 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 32 PID 2988 wrote to memory of 2652 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 32 PID 2652 wrote to memory of 2724 2652 cmd.exe 35 PID 2652 wrote to memory of 2724 2652 cmd.exe 35 PID 2652 wrote to memory of 2724 2652 cmd.exe 35 PID 2652 wrote to memory of 2724 2652 cmd.exe 35 PID 2988 wrote to memory of 1116 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 19 PID 2988 wrote to memory of 1164 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 20 PID 2988 wrote to memory of 1192 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 21 PID 2988 wrote to memory of 1236 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 23 PID 2988 wrote to memory of 1936 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 36 PID 2988 wrote to memory of 1936 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 36 PID 2988 wrote to memory of 1936 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 36 PID 2988 wrote to memory of 1936 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 36 PID 2988 wrote to memory of 1796 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 37 PID 2988 wrote to memory of 1796 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 37 PID 2988 wrote to memory of 1796 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 37 PID 2988 wrote to memory of 1796 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 37 PID 1936 wrote to memory of 1580 1936 cmd.exe 39 PID 1936 wrote to memory of 1580 1936 cmd.exe 39 PID 1936 wrote to memory of 1580 1936 cmd.exe 39 PID 1936 wrote to memory of 1580 1936 cmd.exe 39 PID 2988 wrote to memory of 1804 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 40 PID 2988 wrote to memory of 1804 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 40 PID 2988 wrote to memory of 1804 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 40 PID 2988 wrote to memory of 1804 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 40 PID 2988 wrote to memory of 2468 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 42 PID 2988 wrote to memory of 2468 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 42 PID 2988 wrote to memory of 2468 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 42 PID 2988 wrote to memory of 2468 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 42 PID 2988 wrote to memory of 1620 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 44 PID 2988 wrote to memory of 1620 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 44 PID 2988 wrote to memory of 1620 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 44 PID 2988 wrote to memory of 1620 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 44 PID 2988 wrote to memory of 2824 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 46 PID 2988 wrote to memory of 2824 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 46 PID 2988 wrote to memory of 2824 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 46 PID 2988 wrote to memory of 2824 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 46 PID 2988 wrote to memory of 304 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 48 PID 2988 wrote to memory of 304 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 48 PID 2988 wrote to memory of 304 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 48 PID 2988 wrote to memory of 304 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 48 PID 304 wrote to memory of 1300 304 cmd.exe 50 PID 304 wrote to memory of 1300 304 cmd.exe 50 PID 304 wrote to memory of 1300 304 cmd.exe 50 PID 304 wrote to memory of 1300 304 cmd.exe 50 PID 2988 wrote to memory of 2700 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 52 PID 2988 wrote to memory of 2700 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 52 PID 2988 wrote to memory of 2700 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 52 PID 2988 wrote to memory of 2700 2988 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe 52 PID 2700 wrote to memory of 2956 2700 cmd.exe 54 PID 2700 wrote to memory of 2956 2700 cmd.exe 54 PID 2700 wrote to memory of 2956 2700 cmd.exe 54 PID 2700 wrote to memory of 2956 2700 cmd.exe 54 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2468 attrib.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe"C:\Users\Admin\AppData\Local\Temp\8fe62b5aa221fb6dc9c75ce17226f8397e9e6834dfe188c353f2c3eb01f16187.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks BIOS information in registry
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\run.exe /inst sys >C:\Users\Admin\AppData\Local\Temp\tmp.dll3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\run.exe /rest sys >C:\Users\Admin\AppData\Local\Temp\tmp.dll3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\run.exeC:\Users\Admin\AppData\Local\Temp\run.exe /rest sys4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\run.exe /inst sys >C:\Users\Admin\AppData\Local\Temp\tmp.dll3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\run.exeC:\Users\Admin\AppData\Local\Temp\run.exe /inst sys4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580
-
-
-
C:\Users\Admin\AppData\Local\Temp\boot.exe"C:\Users\Admin\AppData\Local\Temp\boot.exe" /nt60 sys3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1796
-
-
C:\Windows\SysWOW64\compact.exe"C:\Windows\System32\compact.exe" /u /a /i E:\UFHRD3⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" E:\UFHRD +h +s +r3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2468
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" E:\UFHRD /remove administrators3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" E:\UFHRD /inheritance:r3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo %windir%\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Local\Temp\license.xrm-ms >C:\Users\Admin\AppData\Local\Temp\tmp3.dll3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Local\Temp\license.xrm-ms4⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo %windir%\system32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2 >C:\Users\Admin\AppData\Local\Temp\tmp2.dll3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cscript.execscript //nologo C:\Windows\system32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR24⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1236
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1137471884-12334883721785849566-1489210440-2097498546253052273-20003769-2123930991"1⤵PID:988
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1576
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD51386b69045a421d6314b6f25d5784090
SHA15c733c304db905e58a7f21eedb2604a1a2cc6cdf
SHA2568a29adcab8ed51d3d9a31c7aa932ecca1937561b827cb800e8e2f5f0f9dac97b
SHA51267c579ab3fbeb73175d7582f48add0739ac87ed36d94c30c3fac9df1836e7bddf4e75e5a81870f277c31a386c50be2bca0e784c1964969f8ddcb6b4e2b14f14a
-
Filesize
2KB
MD5ca2e3db831243a8bf1f09a5fcc7966a6
SHA10ae292cdb3578f3e86f4a4f529d500a9ebb458ba
SHA2569bd3bba860030740ddafc5b38321eb3711c607e6b31b951a3fa9fe3bd6e8d379
SHA51257e9a05ce111647330af177fe70badda9d2297c54ccc7a6c9fd10d52f3e2411478519f489dd1276871993fe59db2c4cedf1eee2a57140d76d53e518c5f154768
-
Filesize
95KB
MD51749cc08e8bec0d5aafb76325b584232
SHA1c36c620b42fb3e45936696f2ce186e84e5b460ce
SHA2566dc55e74fbb6ca0421a1c4e4156cedae575c3e9bcd169f72a7f3c51171762f5e
SHA5127fa812f415163946ac4405905f4a8ea590306423ae7fb5b6968e50699e8eecdf4566750ccc5caf408249d73c4a4b6f6785e0f346cb822e7f3d5f5e866e975b96
-
Filesize
348B
MD57574cec1b0c5c806c2987d25cb84af6c
SHA1fe83e1a93e985dae66c2054c31f9b61d99473b8c
SHA256b82766bc375d8e655208795116567c0c765c58a4da209fb6354e925157c0458e
SHA512673963a9937b5df67c955e6bc6ef893e447787f06ff968539c60d19f8018b992b94fa3d9251ae78e0cb2bf54ce956e582bc7de0351e236900a1147197e15c4bb
-
Filesize
351B
MD538931587e88e12baa2e6b64c37cc342d
SHA1a0bf047490869013b0960dcea0ecaf80a4368ca0
SHA25666255b5b4d9216e0664fe6841d00845de0e8cbb996a969c6c09c57e4ca1c7476
SHA51272aba380a2acd72d8dca233db75c0a87ebab8ec5965a74f692fddb2999195b11456d9cf0919541434aafd7c8ce9b760240bde528dd0a13b411c11f05fe003669
-
Filesize
69B
MD5a6b1d2a34a6d2938a1345d1975f46686
SHA120aa096ce447fd4c767ca1796c6f138a1e18645d
SHA256200d0b572c919fece84aa266b364fc58fbeb1687dac5f2e2bb2e47d3247465bc
SHA51201cd53ff1515987d838f6fc43b9df8cd36e871e9095f6f1005279f1a550cb6a52e8ce792f657389ce701146c9a18cad389c616fbd7df39e559daa88001bb04f5
-
Filesize
91B
MD5a014f9d517d80bff6f001ce99e60ab3d
SHA13255153ef0e9256c6063bf24f23af09de707e35f
SHA25676eb6e3f41ef3a435fce3cc8096d4281a7c8c73a332ac34c82d6f214c777b2ff
SHA512d435c6384f12c1e4f283d488d0dd95e4ac27bff28af898b124b67c21ca8bc0cefc26612a089262b17c985cc7a40e69ee61d6abef7aaee94fbda3ffe1c39dc445
-
Filesize
427KB
MD51e1ee7fcbb4e83d97d9ab1bfae7eb355
SHA1bd3eb3a1c4b9fdefc9fa264498b2fa92c4c4c92b
SHA256844dd814c3d4bde2f9b6de9f7178278c62d2115c217e07564d913605b0dba386
SHA512b3395bef472d7e9597f6714a520a34628ac9f007cfe50e782025f26dc25a681f4d182931a39129889b3c420dfcc518688706e8234aaeb11eaff30cc8d3c4a249