Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 18:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
120 seconds
General
-
Target
2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe
-
Size
128KB
-
MD5
8ca0914f53557231e967e9e5adea4770
-
SHA1
b613395b55895f0292b6876347d5ad038f17b034
-
SHA256
2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86
-
SHA512
62f5d4942c1677d6cee79b431e242e145515a13cd6eda3331ce4769ab09ec54b5999cafe26313b3cc1f0923ed9265bdf2f28175e31723fc3a17019ee54d03bdf
-
SSDEEP
1536:1Jf83W8W60IL26Ap8iJ9+pvI8B8FuuKk1p0AxQjKP3xNL+vljZuIkBbmFZ3Oz+Ue:1JCD548iJK+cDm0KNxkllFFxOFdE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" Fun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" SVIQ.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe" dc.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Fun.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Fun.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Fun.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe -
Deletes itself 1 IoCs
pid Process 2784 Fun.exe -
Executes dropped EXE 3 IoCs
pid Process 2784 Fun.exe 2652 SVIQ.EXE 1404 dc.exe -
Loads dropped DLL 2 IoCs
pid Process 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Fun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Fun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc Fun.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe" SVIQ.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe" Fun.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" SVIQ.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" Fun.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe" dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" Fun.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE" SVIQ.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Fun.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Fun.exe File opened (read-only) \??\I: Fun.exe File opened (read-only) \??\L: Fun.exe File opened (read-only) \??\M: Fun.exe File opened (read-only) \??\J: Fun.exe File opened (read-only) \??\K: Fun.exe File opened (read-only) \??\E: 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened (read-only) \??\G: 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened (read-only) \??\E: Fun.exe File opened (read-only) \??\G: Fun.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\Win.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\SysWOW64\WinSit.exe Fun.exe File opened for modification C:\Windows\SysWOW64\WinSit.exe dc.exe File opened for modification C:\Windows\SysWOW64\config\Win.exe dc.exe File created C:\Windows\SysWOW64\WinSit.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\SysWOW64\WinSit.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\SysWOW64\WinSit.exe SVIQ.EXE File opened for modification C:\Windows\SysWOW64\config\Win.exe SVIQ.EXE File opened for modification C:\Windows\SysWOW64\config\Win.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\SysWOW64\config\Win.exe Fun.exe -
resource yara_rule behavioral1/memory/2008-6-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-10-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-9-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-3-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-4-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-11-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-8-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-7-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-5-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-44-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-45-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-58-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-112-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-117-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-136-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-137-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2008-156-0x0000000002580000-0x000000000360E000-memory.dmp upx behavioral1/memory/2784-164-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-165-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-163-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-161-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-159-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-157-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx behavioral1/memory/2784-222-0x0000000004C00000-0x0000000005C8E000-memory.dmp upx -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\system\Fun.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\Help\Other.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\SVIQ.EXE Fun.exe File opened for modification C:\Windows\inf\Other.exe Fun.exe File created C:\Windows\SVIQ.EXE SVIQ.EXE File created C:\Windows\system\Fun.exe dc.exe File opened for modification C:\Windows\wininit.ini dc.exe File opened for modification C:\Windows\SVIQ.EXE 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File created C:\Windows\inf\Other.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\wininit.ini SVIQ.EXE File opened for modification C:\Windows\inf\Other.exe dc.exe File opened for modification C:\Windows\system\Fun.exe Fun.exe File opened for modification C:\Windows\SYSTEM.INI 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File created C:\Windows\system\Fun.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\inf\Other.exe SVIQ.EXE File opened for modification C:\Windows\system\Fun.exe SVIQ.EXE File opened for modification C:\Windows\SVIQ.exe SVIQ.EXE File created C:\Windows\dc.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\inf\Other.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\Help\Other.exe dc.exe File opened for modification C:\Windows\dc.exe dc.exe File opened for modification C:\Windows\dc.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File created C:\Windows\SVIQ.EXE 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\wininit.ini Fun.exe File opened for modification C:\Windows\system\Fun.exe dc.exe File created C:\Windows\system\Fun.exe Fun.exe File opened for modification C:\Windows\dc.exe SVIQ.EXE File opened for modification C:\Windows\Help\Other.exe SVIQ.EXE File created C:\Windows\dc.exe dc.exe File created C:\Windows\Help\Other.exe 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\dc.exe Fun.exe File opened for modification C:\Windows\wininit.ini 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe File opened for modification C:\Windows\Help\Other.exe Fun.exe File created C:\Windows\system\Fun.exe SVIQ.EXE File created C:\Windows\SVIQ.EXE dc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVIQ.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2784 Fun.exe 2652 SVIQ.EXE 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2784 Fun.exe 2652 SVIQ.EXE 1404 dc.exe 2784 Fun.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe 2784 Fun.exe 1404 dc.exe 2652 SVIQ.EXE 2784 Fun.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe Token: SeDebugPrivilege 2784 Fun.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 2784 Fun.exe 2784 Fun.exe 2652 SVIQ.EXE 2652 SVIQ.EXE 1404 dc.exe 1404 dc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1064 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 18 PID 2008 wrote to memory of 1128 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 19 PID 2008 wrote to memory of 1152 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 20 PID 2008 wrote to memory of 284 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 25 PID 2008 wrote to memory of 2784 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 30 PID 2008 wrote to memory of 2784 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 30 PID 2008 wrote to memory of 2784 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 30 PID 2008 wrote to memory of 2784 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 30 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2008 wrote to memory of 1404 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 32 PID 2008 wrote to memory of 1404 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 32 PID 2008 wrote to memory of 1404 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 32 PID 2008 wrote to memory of 1404 2008 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe 32 PID 2784 wrote to memory of 1064 2784 Fun.exe 18 PID 2784 wrote to memory of 1128 2784 Fun.exe 19 PID 2784 wrote to memory of 1152 2784 Fun.exe 20 PID 2784 wrote to memory of 284 2784 Fun.exe 25 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2784 wrote to memory of 2652 2784 Fun.exe 31 PID 2784 wrote to memory of 1404 2784 Fun.exe 32 PID 2784 wrote to memory of 1404 2784 Fun.exe 32 PID 2784 wrote to memory of 1064 2784 Fun.exe 18 PID 2784 wrote to memory of 1128 2784 Fun.exe 19 PID 2784 wrote to memory of 1152 2784 Fun.exe 20 PID 2784 wrote to memory of 284 2784 Fun.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Fun.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1128
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe"C:\Users\Admin\AppData\Local\Temp\2001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2008 -
C:\Windows\system\Fun.exeC:\Windows\system\Fun.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784 -
C:\Windows\SVIQ.EXEC:\Windows\SVIQ.EXE4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
-
C:\Windows\dc.exeC:\Windows\dc.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:284
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD58ca0914f53557231e967e9e5adea4770
SHA1b613395b55895f0292b6876347d5ad038f17b034
SHA2562001864f0b752fc7b56debc9cd6694ea55dab1b029d1870c45aa520640ba1f86
SHA51262f5d4942c1677d6cee79b431e242e145515a13cd6eda3331ce4769ab09ec54b5999cafe26313b3cc1f0923ed9265bdf2f28175e31723fc3a17019ee54d03bdf
-
Filesize
257B
MD5fcfbcf009e3997e88d3d777cbacf19bb
SHA110fc1611ccec22725d869d7b8a27e03f68718859
SHA2564f7fa0081008d5b06aa096d53c29e74d099f49bb0a757dbfd09de7800ecf95c2
SHA512e8c289cfb7838be0db5e5a9b1c0a42736650786d261b28e6aa86faf5429ba0b9f4dcce59bdd12c5fed6dd4a23e653e048c2db3582b12d39f4b71a348a429cdd0
-
Filesize
41B
MD5e839977c0d22c9aa497b0b1d90d8a372
SHA1b5048e501399138796b38f3d3666e1a88c397e83
SHA256478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA5124c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d
-
Filesize
96KB
MD53d2745f50a8bdf43eaa67852c78ab6bc
SHA1b565ac688fa3a1d162fc5d55f31f2d74ce77366b
SHA25649624244d61cee7baf6cbaa6613de70cba70381a9f57df1f864e228934a8d97d
SHA51217a94b6bc772c0e9ddfb8bd319848c47d1ae9c9ab19942ac62632a7ec301e3b000895338004e9277c59769b8dc5c1571500462e8f174f29639dcc0cda326af6d