Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
120 seconds
General
-
Target
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe
-
Size
416KB
-
MD5
b436326e7133bdb8916628cc43cc53d0
-
SHA1
82e8f935c783e419bd47b11bc76febc818e45abc
-
SHA256
da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0
-
SHA512
ae1d1d4c2c120c4bb5e72cfac876e7f58449eeb214bdfa87ac96ac96f7e45a71132a875435acf7a834f07cee30d1e3251e1a5b4638819c16022b55c209a23c93
-
SSDEEP
6144:UFfDAEl3nOvkGe/DDWGszKjV1eNHkG+ovUM3ep3DWhvhlWOA:kwGDWGszKjV1eWGL5epTWhvhl1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wscript.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\H: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\U: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\V: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\J: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Y: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\O: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Q: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\X: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\T: da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification F:\autorun.inf da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
resource yara_rule behavioral2/memory/4176-16-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-23-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-22-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-3-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-33-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-24-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-36-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-37-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-39-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-17-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-51-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-52-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-55-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-57-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-56-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-59-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-63-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-64-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-67-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-68-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-70-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-71-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-74-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-82-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-84-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-86-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-87-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-89-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-91-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-90-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-94-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-96-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-98-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-99-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-101-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-102-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-104-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-105-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4176-177-0x0000000002480000-0x000000000353A000-memory.dmp upx -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Unicode\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\Ansi\MsiZap.exe msiexec.exe File opened for modification C:\Program Files\7-Zip\7z.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File created C:\Program Files (x86)\Windows Installer Clean Up\msicuu.exe msiexec.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File opened for modification C:\Program Files (x86)\MSECACHE\WICU3\msicuu.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapA.exe wscript.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File created C:\Program Files (x86)\Windows Installer Clean Up\MsiZap.exe msiexec.exe File created C:\Program Files (x86)\Windows Installer Clean Up\readme.txt msiexec.exe File created C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\MsiZapU.exe wscript.exe File created C:\Program Files (x86)\MSECACHE\WICU3\readme.txt wscript.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{121634B0-2F4B-11D3-ADA3-00C04F52DD52} msiexec.exe File created C:\Windows\Installer\e583287.msi msiexec.exe File opened for modification C:\Windows\SYSTEM.INI da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File created C:\Windows\Installer\e583285.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\e579635 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe File opened for modification C:\Windows\Installer\e583285.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI336F.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4648 msiexec.exe 4648 msiexec.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe Token: SeDebugPrivilege 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1736 msiexec.exe 1736 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4176 wrote to memory of 1336 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 82 PID 4176 wrote to memory of 1336 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 82 PID 4176 wrote to memory of 1336 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 82 PID 4176 wrote to memory of 780 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 8 PID 4176 wrote to memory of 784 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 9 PID 4176 wrote to memory of 376 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 13 PID 4176 wrote to memory of 2584 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 42 PID 4176 wrote to memory of 2596 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 43 PID 4176 wrote to memory of 2708 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 45 PID 4176 wrote to memory of 3508 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 56 PID 4176 wrote to memory of 3668 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 57 PID 4176 wrote to memory of 3864 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 58 PID 4176 wrote to memory of 3964 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 59 PID 4176 wrote to memory of 4068 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 60 PID 4176 wrote to memory of 2472 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 61 PID 4176 wrote to memory of 4116 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 62 PID 4176 wrote to memory of 1696 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 75 PID 4176 wrote to memory of 2168 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 76 PID 4176 wrote to memory of 1336 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 82 PID 4176 wrote to memory of 1336 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 82 PID 1336 wrote to memory of 1736 1336 wscript.exe 83 PID 1336 wrote to memory of 1736 1336 wscript.exe 83 PID 1336 wrote to memory of 1736 1336 wscript.exe 83 PID 4176 wrote to memory of 780 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 8 PID 4176 wrote to memory of 784 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 9 PID 4176 wrote to memory of 376 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 13 PID 4176 wrote to memory of 2584 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 42 PID 4176 wrote to memory of 2596 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 43 PID 4176 wrote to memory of 2708 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 45 PID 4176 wrote to memory of 3508 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 56 PID 4176 wrote to memory of 3668 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 57 PID 4176 wrote to memory of 3864 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 58 PID 4176 wrote to memory of 3964 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 59 PID 4176 wrote to memory of 4068 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 60 PID 4176 wrote to memory of 2472 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 61 PID 4176 wrote to memory of 4116 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 62 PID 4176 wrote to memory of 1696 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 75 PID 4176 wrote to memory of 2168 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 76 PID 4176 wrote to memory of 1736 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 83 PID 4176 wrote to memory of 1736 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 83 PID 4176 wrote to memory of 780 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 8 PID 4176 wrote to memory of 784 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 9 PID 4176 wrote to memory of 376 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 13 PID 4176 wrote to memory of 2584 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 42 PID 4176 wrote to memory of 2596 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 43 PID 4176 wrote to memory of 2708 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 45 PID 4176 wrote to memory of 3508 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 56 PID 4176 wrote to memory of 3668 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 57 PID 4176 wrote to memory of 3864 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 58 PID 4176 wrote to memory of 3964 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 59 PID 4176 wrote to memory of 4068 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 60 PID 4176 wrote to memory of 2472 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 61 PID 4176 wrote to memory of 4116 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 62 PID 4176 wrote to memory of 1696 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 75 PID 4176 wrote to memory of 2168 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 76 PID 4176 wrote to memory of 780 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 8 PID 4176 wrote to memory of 784 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 9 PID 4176 wrote to memory of 376 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 13 PID 4176 wrote to memory of 2584 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 42 PID 4176 wrote to memory of 2596 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 43 PID 4176 wrote to memory of 2708 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 45 PID 4176 wrote to memory of 3508 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 56 PID 4176 wrote to memory of 3668 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 57 PID 4176 wrote to memory of 3864 4176 da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe 58 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2708
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe"C:\Users\Admin\AppData\Local\Temp\da45741ee5792531c2227ad1aaf7f19008855dfdb849882d989a17733bf2b8a0N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4176 -
C:\Windows\SysWOW64\wscript.exewscript StartMsi.vbs3⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files (x86)\MSECACHE\WICU3\msicuu.msi"4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1736
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3964
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4116
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2168
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4648 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:920
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:5032
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD517f11c23e7aeef406516d6161a3a1909
SHA1e52e2d2412b3f94ee9f21e82d8f26ccc46bc496e
SHA256b647b2bb1bf598454eb0a95a6216cef8c230ed34c80525284908a86d3be5f152
SHA5124c3ac8f9563873bc57ac1ce2dd47785d7e7be0dd2c869435502649b5c2723658941d7f0a38a09134284a560ae9e4ddf3eda8123cfeb315cf14dba3199d901d2a
-
Filesize
78KB
MD58ff91f846a078660b415d84bba98a003
SHA1cf3232b306f7fd00fbe33409012bf28a386c8bfe
SHA256f5b33d62b517b354c63a3a50f1e4859a9359d9f60c6e4408179960b4c15c5bcb
SHA512db7b2c9c01b109d466c0f30855428897a139f7448486bacbbca211ff2bf72a75eb2937a0f1315850be592893afccc058e1e32a7f0d874114a8148180fb37670d
-
Filesize
92KB
MD527d4bcc325306b1415a89de550528e04
SHA1bd3bd0bb8d2ec2637b1b74eb9bffa49da7ff3ce9
SHA256c8089b1734f68420e912978ac0dd29d8772b1f527d2bffbaaa9d3fad9f4051e5
SHA512d8c398e84a884a2c0d7b38022b76a46868e3e3ad0a01b7ba188c7fff208a4c79c1c31c14b6053f4f029c59b15c9bf01e145fb1c7f7dcb633c33c2c88428bc9a6
-
Filesize
1KB
MD571659e46173f3041a062e7a6893214dd
SHA1cea2db630e0af7072515b1127f24782d7870138f
SHA2562cf0d207aeb3e0b06d12082010d8477e8ad3e6fdbfbfbc24c131c605630b26dd
SHA512d4c0f72c2a70c85e71a9990aa43fa9c1e655745303cae0938b0509a952861f00e29e354f5c39cbe7687929da8014bd8c1fa854d66f4284591253018a8abad7f2
-
Filesize
40KB
MD506109701320fb25f00e004110676a6f2
SHA16b12c026ab9ef82c6616338a7c0d4e21eb76bf2d
SHA2565900ff42650c5588e005bea236783f0a5542e4c062ef37dd26cf073d233d287d
SHA512190eab99b946dbce16ec140bf1b7ef30b7b5d14d30e2b9e05c41951e2f34cceb268ddd0e2032e3137d327016002d2c059e7d040a446c4733f59ed6b521d82418
-
Filesize
461KB
MD53dd4ddbf695ee30ef83e5ef4e40ae3fe
SHA17d875c34100a56be3c37d962dc62668799b67dd6
SHA2566a83d34425923cd78c56b6970e237fa70702679d1ed84c3057ac38a4bb83f90d
SHA51232d8f6ffee7ee5e8feaa22023fc3363a8c9733479288ed2db29d9260f1ff5b8306d12d084a51cc575901e42a9d457f339d953ce3697daf108389808add0c94ff
-
Filesize
6KB
MD531f061b4053a587c987096ed824eff76
SHA1bf1c6c30bb85cae5976662503404fe92c19d3bf1
SHA2568d1fe9d8241d4b15e57f067c55a6d770cdad994fedc050aa3891e74edcf935da
SHA512234b1999476d1a3c6257d3f4925be845db90c626df5cd59634bb5aca8cc9d78966044ddce73cf5bc1b12c242bdabcd75335640271a5e4295ce8f3b035eea3be5
-
Filesize
97KB
MD5a375a7097b5f282941936eab675bdc8c
SHA1dab34cc5350d5cec0d8abf0dc74d08f9ebce3b6a
SHA2567b7778a3a2d85a724540fecce4a09c686bfc29ea5d8b5bff49b5bec27dbf6b70
SHA5125c3e7ee51a14942cb03a8e001a15f7e74651974dbbbc4d21366b29f970b1315bb9e8175cce9a29f158e039f033e1857163c403b1c69194d65dcea4fb36e332f9
-
Filesize
24.1MB
MD5a3b0039c7441dab419258d7c41ac67c7
SHA1d3522d7489bb558dea118e92a5e5ad5b14c8db1d
SHA25661baf30fe2d9989c64c42d187ff8b253a1cdb2314c58e9b894ca4b3e992c90aa
SHA5128570bf0c0849e72ccf52d2e2775a26fe7cc75d60cfb211d933f73bf177d05e1b5776e68b7a1676a24d805677a9c0990cf3096482f9e8135a4fdc29d1caaaca76
-
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2519f00-90f8-44ae-94f1-99a9f67be250}_OnDiskSnapshotProp
Filesize6KB
MD5bdb53e5aae5e30866b8240179a5316e3
SHA10c6573dcd868e08080d1a91af4554491fd878919
SHA2568c01654f90bf34b0da4279b419e4b97105d5257dc40c50663991676ada415b5e
SHA51236bfabb583cab758fd7ed277c81d3c5df0169827d948a7661b3104aa952a0c2166f7a14f421e9b041d46300fa69fc30ab62f268f4d82eae308476f8c8249254b