Analysis
-
max time kernel
81s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
120 seconds
General
-
Target
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe
-
Size
416KB
-
MD5
b436326e7133bdb8916628cc43cc53d0
-
SHA1
82e8f935c783e419bd47b11bc76febc818e45abc
-
SHA256
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0
-
SHA512
ae1d1d4c2c120c4bb5e72cfac876e7f58449eeb214bdfa87ac96ac96f7e45a71132a875435acf7a834f07cee30d1e3251e1a5b4638819c16022b55c209a23c93
-
SSDEEP
6144:UFfDAEl3nOvkGe/DDWGszKjV1eNHkG+ovUM3ep3DWhvhlWOA:kwGDWGszKjV1eWGL5epTWhvhl1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Loads dropped DLL 16 IoCs
pid Process 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe 2848 msiexec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\L: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\T: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Y: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\V: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\S: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\G: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\O: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\W: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\X: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
resource yara_rule behavioral1/memory/2748-13-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-21-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-19-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-17-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-15-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-20-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-16-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-53-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-50-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-48-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-18-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-55-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-54-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-68-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-88-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-87-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-90-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-91-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-92-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-93-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-96-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-97-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-115-0x0000000002470000-0x000000000352A000-memory.dmp upx behavioral1/memory/2748-228-0x0000000002470000-0x000000000352A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\MSECACHE\WICU3\readme.txt wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Ansi\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\Windows Installer Clean Up\msicuu.exe msiexec.exe File created C:\Program Files (x86)\Windows Installer Clean Up\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Unicode\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\Windows Installer Clean Up\readme.txt msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File opened for modification C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapA.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapU.exe wscript.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\f7761df.msi msiexec.exe File created C:\Windows\Installer\f7761e0.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI62C9.tmp msiexec.exe File created C:\Windows\Installer\f7761e2.msi msiexec.exe File opened for modification C:\Windows\Installer\f7761e0.ipi msiexec.exe File created C:\Windows\f76f5e3 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Windows\SYSTEM.INI da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Windows\Installer\f7761df.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 1300 msiexec.exe 1300 msiexec.exe 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeShutdownPrivilege 2848 msiexec.exe Token: SeIncreaseQuotaPrivilege 2848 msiexec.exe Token: SeRestorePrivilege 1300 msiexec.exe Token: SeTakeOwnershipPrivilege 1300 msiexec.exe Token: SeSecurityPrivilege 1300 msiexec.exe Token: SeCreateTokenPrivilege 2848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2848 msiexec.exe Token: SeLockMemoryPrivilege 2848 msiexec.exe Token: SeIncreaseQuotaPrivilege 2848 msiexec.exe Token: SeMachineAccountPrivilege 2848 msiexec.exe Token: SeTcbPrivilege 2848 msiexec.exe Token: SeSecurityPrivilege 2848 msiexec.exe Token: SeTakeOwnershipPrivilege 2848 msiexec.exe Token: SeLoadDriverPrivilege 2848 msiexec.exe Token: SeSystemProfilePrivilege 2848 msiexec.exe Token: SeSystemtimePrivilege 2848 msiexec.exe Token: SeProfSingleProcessPrivilege 2848 msiexec.exe Token: SeIncBasePriorityPrivilege 2848 msiexec.exe Token: SeCreatePagefilePrivilege 2848 msiexec.exe Token: SeCreatePermanentPrivilege 2848 msiexec.exe Token: SeBackupPrivilege 2848 msiexec.exe Token: SeRestorePrivilege 2848 msiexec.exe Token: SeShutdownPrivilege 2848 msiexec.exe Token: SeDebugPrivilege 2848 msiexec.exe Token: SeAuditPrivilege 2848 msiexec.exe Token: SeSystemEnvironmentPrivilege 2848 msiexec.exe Token: SeChangeNotifyPrivilege 2848 msiexec.exe Token: SeRemoteShutdownPrivilege 2848 msiexec.exe Token: SeUndockPrivilege 2848 msiexec.exe Token: SeSyncAgentPrivilege 2848 msiexec.exe Token: SeEnableDelegationPrivilege 2848 msiexec.exe Token: SeManageVolumePrivilege 2848 msiexec.exe Token: SeImpersonatePrivilege 2848 msiexec.exe Token: SeCreateGlobalPrivilege 2848 msiexec.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeBackupPrivilege 2392 vssvc.exe Token: SeRestorePrivilege 2392 vssvc.exe Token: SeAuditPrivilege 2392 vssvc.exe Token: SeBackupPrivilege 1300 msiexec.exe Token: SeRestorePrivilege 1300 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2848 msiexec.exe 2848 msiexec.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 1060 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 18 PID 2748 wrote to memory of 1120 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 19 PID 2748 wrote to memory of 1180 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 21 PID 2748 wrote to memory of 1140 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 23 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2748 wrote to memory of 2192 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 31 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2192 wrote to memory of 2848 2192 wscript.exe 32 PID 2748 wrote to memory of 1060 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 18 PID 2748 wrote to memory of 1120 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 19 PID 2748 wrote to memory of 1180 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 21 PID 2748 wrote to memory of 1140 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 23 PID 2748 wrote to memory of 2848 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 32 PID 2748 wrote to memory of 2848 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 32 PID 2748 wrote to memory of 1060 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 18 PID 2748 wrote to memory of 1120 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 19 PID 2748 wrote to memory of 1180 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 21 PID 2748 wrote to memory of 1140 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 23 PID 2748 wrote to memory of 1060 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 18 PID 2748 wrote to memory of 1120 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 19 PID 2748 wrote to memory of 1180 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 21 PID 2748 wrote to memory of 1140 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 23 PID 2748 wrote to memory of 1512 2748 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 37 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe"C:\Users\Admin\AppData\Local\Temp\da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748 -
C:\Windows\SysWOW64\wscript.exewscript StartMsi.vbs3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi"4⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2848
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1140
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "0000000000000328"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD57bee89606c46ff0fa6eafb6e8a11afb3
SHA19a889d3eb3a20680853ce952649f9369e5df4423
SHA2564f256904ece13571525e70faa3f1da302edae624e7e3b79c1c8530aeb621b733
SHA512f3ac162ed1aec504e27123af3c2d57318c504b4716daf70c4d3b70240feb20ffc7e28acf89920639468466d8f5fa5a73e115409799740bc2cf1665125fb64d11
-
Filesize
461KB
MD53dd4ddbf695ee30ef83e5ef4e40ae3fe
SHA17d875c34100a56be3c37d962dc62668799b67dd6
SHA2566a83d34425923cd78c56b6970e237fa70702679d1ed84c3057ac38a4bb83f90d
SHA51232d8f6ffee7ee5e8feaa22023fc3363a8c9733479288ed2db29d9260f1ff5b8306d12d084a51cc575901e42a9d457f339d953ce3697daf108389808add0c94ff
-
Filesize
78KB
MD58ff91f846a078660b415d84bba98a003
SHA1cf3232b306f7fd00fbe33409012bf28a386c8bfe
SHA256f5b33d62b517b354c63a3a50f1e4859a9359d9f60c6e4408179960b4c15c5bcb
SHA512db7b2c9c01b109d466c0f30855428897a139f7448486bacbbca211ff2bf72a75eb2937a0f1315850be592893afccc058e1e32a7f0d874114a8148180fb37670d
-
Filesize
92KB
MD527d4bcc325306b1415a89de550528e04
SHA1bd3bd0bb8d2ec2637b1b74eb9bffa49da7ff3ce9
SHA256c8089b1734f68420e912978ac0dd29d8772b1f527d2bffbaaa9d3fad9f4051e5
SHA512d8c398e84a884a2c0d7b38022b76a46868e3e3ad0a01b7ba188c7fff208a4c79c1c31c14b6053f4f029c59b15c9bf01e145fb1c7f7dcb633c33c2c88428bc9a6
-
Filesize
1KB
MD571659e46173f3041a062e7a6893214dd
SHA1cea2db630e0af7072515b1127f24782d7870138f
SHA2562cf0d207aeb3e0b06d12082010d8477e8ad3e6fdbfbfbc24c131c605630b26dd
SHA512d4c0f72c2a70c85e71a9990aa43fa9c1e655745303cae0938b0509a952861f00e29e354f5c39cbe7687929da8014bd8c1fa854d66f4284591253018a8abad7f2
-
Filesize
40KB
MD506109701320fb25f00e004110676a6f2
SHA16b12c026ab9ef82c6616338a7c0d4e21eb76bf2d
SHA2565900ff42650c5588e005bea236783f0a5542e4c062ef37dd26cf073d233d287d
SHA512190eab99b946dbce16ec140bf1b7ef30b7b5d14d30e2b9e05c41951e2f34cceb268ddd0e2032e3137d327016002d2c059e7d040a446c4733f59ed6b521d82418
-
Filesize
6KB
MD531f061b4053a587c987096ed824eff76
SHA1bf1c6c30bb85cae5976662503404fe92c19d3bf1
SHA2568d1fe9d8241d4b15e57f067c55a6d770cdad994fedc050aa3891e74edcf935da
SHA512234b1999476d1a3c6257d3f4925be845db90c626df5cd59634bb5aca8cc9d78966044ddce73cf5bc1b12c242bdabcd75335640271a5e4295ce8f3b035eea3be5