Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-12-2024 13:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe
-
Size
297KB
-
MD5
4f717645c687c296b017afbf435403f0
-
SHA1
afe1afccd46050371da351f9b4bedf467b81219c
-
SHA256
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193
-
SHA512
1f35598664a619000ad9109f91bf43f33b70147ffcd6449ea29d9d3375687dd71552c41d4000178ede997c085ffd02ae87eaa31f72e87e7d797fe8ac37459418
-
SSDEEP
6144:MvEE2U+T6i5LirrllHy4HUcMQY6AyPE8+aES85f/M1:eEEN+T5xYrllrU7QY6Am+aES8tk1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Deletes itself 1 IoCs
pid Process 2604 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2604 explorer.exe 3008 spoolsv.exe 576 svchost.exe 1804 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2604 explorer.exe 2604 explorer.exe 3008 spoolsv.exe 3008 spoolsv.exe 576 svchost.exe 576 svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe -
resource yara_rule behavioral1/memory/2668-1-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-10-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-3-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-8-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-7-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-6-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-9-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-5-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2668-4-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/576-75-0x0000000002480000-0x00000000024C3000-memory.dmp upx behavioral1/memory/2668-74-0x0000000002680000-0x000000000370E000-memory.dmp upx behavioral1/memory/2604-100-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-102-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-103-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-101-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-98-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-126-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-129-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-127-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-125-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral1/memory/2604-130-0x00000000032C0000-0x000000000434E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe 2604 explorer.exe 2604 explorer.exe 576 svchost.exe 576 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2604 explorer.exe 576 svchost.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 2604 explorer.exe 2604 explorer.exe 3008 spoolsv.exe 3008 spoolsv.exe 576 svchost.exe 576 svchost.exe 1804 spoolsv.exe 1804 spoolsv.exe 2604 explorer.exe 2604 explorer.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1112 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 19 PID 2668 wrote to memory of 1164 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 20 PID 2668 wrote to memory of 1208 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 21 PID 2668 wrote to memory of 852 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 23 PID 2668 wrote to memory of 2604 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 30 PID 2668 wrote to memory of 2604 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 30 PID 2668 wrote to memory of 2604 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 30 PID 2668 wrote to memory of 2604 2668 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 30 PID 2604 wrote to memory of 3008 2604 explorer.exe 31 PID 2604 wrote to memory of 3008 2604 explorer.exe 31 PID 2604 wrote to memory of 3008 2604 explorer.exe 31 PID 2604 wrote to memory of 3008 2604 explorer.exe 31 PID 3008 wrote to memory of 576 3008 spoolsv.exe 32 PID 3008 wrote to memory of 576 3008 spoolsv.exe 32 PID 3008 wrote to memory of 576 3008 spoolsv.exe 32 PID 3008 wrote to memory of 576 3008 spoolsv.exe 32 PID 576 wrote to memory of 1804 576 svchost.exe 33 PID 576 wrote to memory of 1804 576 svchost.exe 33 PID 576 wrote to memory of 1804 576 svchost.exe 33 PID 576 wrote to memory of 1804 576 svchost.exe 33 PID 576 wrote to memory of 2320 576 svchost.exe 34 PID 576 wrote to memory of 2320 576 svchost.exe 34 PID 576 wrote to memory of 2320 576 svchost.exe 34 PID 576 wrote to memory of 2320 576 svchost.exe 34 PID 2604 wrote to memory of 1112 2604 explorer.exe 19 PID 2604 wrote to memory of 1164 2604 explorer.exe 20 PID 2604 wrote to memory of 1208 2604 explorer.exe 21 PID 2604 wrote to memory of 852 2604 explorer.exe 23 PID 2604 wrote to memory of 576 2604 explorer.exe 32 PID 2604 wrote to memory of 576 2604 explorer.exe 32 PID 2604 wrote to memory of 1112 2604 explorer.exe 19 PID 2604 wrote to memory of 1164 2604 explorer.exe 20 PID 2604 wrote to memory of 1208 2604 explorer.exe 21 PID 2604 wrote to memory of 852 2604 explorer.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe"C:\Users\Admin\AppData\Local\Temp\108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\SysWOW64\at.exeat 13:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
C:\Windows\SysWOW64\at.exeat 13:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2612
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD5a9c8a98d6afca757dafeb08e3dbc8241
SHA1c04361c12ccd36c297a4fdc8f502383838c97d06
SHA256cd3946f27fd0d75dd2ea6f90fa32f1b8da5436490b63e037ce5664353d383948
SHA51296ac3d9ff44051f2817478abf71e46488c824c068f579b0798b4ac402b88bb7693a693f6c5946edd448053aecce980e83f73448faa11d4eaf6df2956ae2ef15c
-
Filesize
257B
MD5bd79658b941ef9f5ea9ed568eba0c3f8
SHA157e3ef149e935a525d8d0784cb59ad8e15a91738
SHA256fd7ae7b7e74a1f10e424c7829ed1e9d9411d39bb4465786ed5167755c71c9ebd
SHA512019444eafab13e8f03210a0374621c7db0a4450a222bb55d29fdbdbbd8d240a809cc114eebed685eab924e5ec95af5fbc273f7f69524369c8393ba157c4cd2b8
-
Filesize
296KB
MD5be22c7554a0912496f88175524058c5b
SHA1a18d18bcbcb8f26f35d7f86dc7dd0ccc8bb3ac36
SHA2565a38095b99705874a893e256b403c2d9eaf9e5eb96c8ebe8f503f84a9c5afe2a
SHA5125e15819598cd552d9ef95609775a25eb7ec2d8c8c3b2361ad71688e84720bbfdb74895cf5ac300786aebd572e5c1fc9f5355ca4b90ece0e58bc32e0434642f86
-
Filesize
296KB
MD5a49a37e80b67f250b42d4ea0b5685458
SHA10e983878d652c7282c749f56cfe36a94784ae9f4
SHA256b5a9fd338861f88ff94df1ce717f02d44b5b6a990ccb63dfc37a21e0e5b2d08e
SHA512b8ba0e3c88dba2b6865123dd5c117eed3c8dfa39a6240fdad1b8628476e67cfe1ccd1f28e2ca93225aeb8a79410f6a2204e9c57dcac80e6039f18e484e4bac1a
-
Filesize
296KB
MD510779095d926538757530d235b08a82f
SHA129bc534ff309b4c07fe4ecdb880bee321b9abdba
SHA2560c5799bb4bb5429a953a7c8464281adc7157bffbed7be5cbd5448adb61285160
SHA512361dfd21b829dffe39cab30f34ccd212fc38469bd9326382c1172fa1c2e45ee4f399bf8db05b5cb1abb306ce59e4bbbe1a91ac218d89bd4a384e5da6f811fac8
-
Filesize
100KB
MD5d9f334ef9b6550a09555b0b1584e81c3
SHA15d2ec61122548ab8cadda90d7761b03e27dabae1
SHA2566aa4309b52929712e41570b4b383b9c600d84156949ea4e5883c8f038701b90d
SHA512178c53258975b3f84c20d6863384e46053a8ae2c93fa7fec44ac12b435d458aa9b90da5268bba28a16ef58953d894ef9733d15a1e9957783f51a847e088362cf