Analysis
-
max time kernel
28s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 13:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe
-
Size
297KB
-
MD5
4f717645c687c296b017afbf435403f0
-
SHA1
afe1afccd46050371da351f9b4bedf467b81219c
-
SHA256
108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193
-
SHA512
1f35598664a619000ad9109f91bf43f33b70147ffcd6449ea29d9d3375687dd71552c41d4000178ede997c085ffd02ae87eaa31f72e87e7d797fe8ac37459418
-
SSDEEP
6144:MvEE2U+T6i5LirrllHy4HUcMQY6AyPE8+aES85f/M1:eEEN+T5xYrllrU7QY6Am+aES8tk1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Deletes itself 1 IoCs
pid Process 4876 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4876 explorer.exe 2156 spoolsv.exe 2412 svchost.exe 1748 spoolsv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\K: explorer.exe -
resource yara_rule behavioral2/memory/3612-1-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-8-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-4-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-9-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-7-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-6-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-11-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-21-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-23-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-33-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-35-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-49-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-53-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/3612-54-0x0000000002BC0000-0x0000000003C4E000-memory.dmp upx behavioral2/memory/4876-81-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-80-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-79-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-78-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-75-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-77-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-84-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-91-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-92-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-82-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-83-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-93-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-94-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-95-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-97-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-98-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-99-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-101-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-102-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-103-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-108-0x0000000003530000-0x00000000045BE000-memory.dmp upx behavioral2/memory/4876-106-0x0000000003530000-0x00000000045BE000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe File opened for modification \??\c:\windows\system\explorer.exe 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 4876 explorer.exe 2412 svchost.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe 2412 svchost.exe 4876 explorer.exe 4876 explorer.exe 2412 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4876 explorer.exe 2412 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Token: SeDebugPrivilege 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 4876 explorer.exe 4876 explorer.exe 2156 spoolsv.exe 2156 spoolsv.exe 2412 svchost.exe 2412 svchost.exe 1748 spoolsv.exe 1748 spoolsv.exe 4876 explorer.exe 4876 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3612 wrote to memory of 780 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 8 PID 3612 wrote to memory of 788 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 9 PID 3612 wrote to memory of 376 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 13 PID 3612 wrote to memory of 2652 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 44 PID 3612 wrote to memory of 2668 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 45 PID 3612 wrote to memory of 2780 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 47 PID 3612 wrote to memory of 3440 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 56 PID 3612 wrote to memory of 3572 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 57 PID 3612 wrote to memory of 3748 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 58 PID 3612 wrote to memory of 3840 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 59 PID 3612 wrote to memory of 3912 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 60 PID 3612 wrote to memory of 4000 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 61 PID 3612 wrote to memory of 3596 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 62 PID 3612 wrote to memory of 3248 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 75 PID 3612 wrote to memory of 2192 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 76 PID 3612 wrote to memory of 3600 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 81 PID 3612 wrote to memory of 4876 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 83 PID 3612 wrote to memory of 4876 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 83 PID 3612 wrote to memory of 4876 3612 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe 83 PID 4876 wrote to memory of 2156 4876 explorer.exe 84 PID 4876 wrote to memory of 2156 4876 explorer.exe 84 PID 4876 wrote to memory of 2156 4876 explorer.exe 84 PID 2156 wrote to memory of 2412 2156 spoolsv.exe 85 PID 2156 wrote to memory of 2412 2156 spoolsv.exe 85 PID 2156 wrote to memory of 2412 2156 spoolsv.exe 85 PID 2412 wrote to memory of 1748 2412 svchost.exe 86 PID 2412 wrote to memory of 1748 2412 svchost.exe 86 PID 2412 wrote to memory of 1748 2412 svchost.exe 86 PID 2412 wrote to memory of 2900 2412 svchost.exe 87 PID 2412 wrote to memory of 2900 2412 svchost.exe 87 PID 2412 wrote to memory of 2900 2412 svchost.exe 87 PID 4876 wrote to memory of 780 4876 explorer.exe 8 PID 4876 wrote to memory of 788 4876 explorer.exe 9 PID 4876 wrote to memory of 376 4876 explorer.exe 13 PID 4876 wrote to memory of 2652 4876 explorer.exe 44 PID 4876 wrote to memory of 2668 4876 explorer.exe 45 PID 4876 wrote to memory of 2780 4876 explorer.exe 47 PID 4876 wrote to memory of 3440 4876 explorer.exe 56 PID 4876 wrote to memory of 3572 4876 explorer.exe 57 PID 4876 wrote to memory of 3748 4876 explorer.exe 58 PID 4876 wrote to memory of 3840 4876 explorer.exe 59 PID 4876 wrote to memory of 3912 4876 explorer.exe 60 PID 4876 wrote to memory of 4000 4876 explorer.exe 61 PID 4876 wrote to memory of 3596 4876 explorer.exe 62 PID 4876 wrote to memory of 3248 4876 explorer.exe 75 PID 4876 wrote to memory of 2192 4876 explorer.exe 76 PID 4876 wrote to memory of 3600 4876 explorer.exe 81 PID 4876 wrote to memory of 2412 4876 explorer.exe 85 PID 4876 wrote to memory of 2412 4876 explorer.exe 85 PID 4876 wrote to memory of 780 4876 explorer.exe 8 PID 4876 wrote to memory of 788 4876 explorer.exe 9 PID 4876 wrote to memory of 376 4876 explorer.exe 13 PID 4876 wrote to memory of 2652 4876 explorer.exe 44 PID 4876 wrote to memory of 2668 4876 explorer.exe 45 PID 4876 wrote to memory of 2780 4876 explorer.exe 47 PID 4876 wrote to memory of 3440 4876 explorer.exe 56 PID 4876 wrote to memory of 3572 4876 explorer.exe 57 PID 4876 wrote to memory of 3748 4876 explorer.exe 58 PID 4876 wrote to memory of 3840 4876 explorer.exe 59 PID 4876 wrote to memory of 3912 4876 explorer.exe 60 PID 4876 wrote to memory of 4000 4876 explorer.exe 61 PID 4876 wrote to memory of 3596 4876 explorer.exe 62 PID 4876 wrote to memory of 3248 4876 explorer.exe 75 PID 4876 wrote to memory of 2192 4876 explorer.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2668
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2780
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe"C:\Users\Admin\AppData\Local\Temp\108f4eec35d3b8ee35d7df02792d2ff0b074680a061b2695e672ca5554cfc193N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\Windows\SysWOW64\at.exeat 13:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\at.exeat 13:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2556
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3596
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2192
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD58bb7982aef8ffef50bea800f327b39da
SHA1a12a5f0b77c4a2770d7594837d0f55382699b2de
SHA256b3ef7fddd9eabda7936bd347f95c8c0c0f8aadad56a6ccb330b431941498b502
SHA51235dfe8c90ed7c8bea032028e9ef129ff9b188f4137a32182844c46160b040a82c8c0bcefea86c0de395c5937fba2cb53a90a894f7cb25d6194793e2a54686fe2
-
Filesize
257B
MD559be775274012ad4d34a35fa39218447
SHA1ca49a2966f0bd9d525f360052ff9602dd00bfd84
SHA2562d77bb8957d21e5a1cc966c1e94ba120976b4e49900f8dd37947ef4faf371ee0
SHA5124be16a7aa9e26dc08d9041361db39a2c45999bdca314dcb675c54ab87229d6e6832e6819d5edacb768d490c3cbe17e4896bb535db52ec917ca7cfea6042b76d5
-
Filesize
297KB
MD590c65837548870acc379c3670b0b7877
SHA17d44f003d9d35726927af763685e064d73c98ac8
SHA256c765670059713a10df4c866f483631170ce2e6e9a98fef001453dc61056a6333
SHA512a908d07df3ba8f1ddfb38e55d24e58c986d99a314f39d4891fec6a1f0bc4823e53ea832b3edd859bb82c79fad3547dd9c7b2f8eb4ad2252cc738988089082f7b
-
Filesize
100KB
MD5d5cde37f8d71a0278f63f35a652c52d8
SHA1eb105448650d0071db1c65c3239d899351bad59c
SHA25687b3c1a8b7fb3997dc488c858d80463ca1d7a23e945081de89f2b2ec4528eca1
SHA512e47456f73ef7eabfaf2a0001d3a4f6b465bd2d744bc5363b53b26fda1a06cb6114a1619f8047b5e0818a84e32b1a4c441f82794e8ce6b98430c039cf2bf5d964
-
Filesize
296KB
MD5250753fc7ffa9afc897d2cbc1a8d00cf
SHA178a53adf1f4de78b75e930f37b4c57c3bf24f215
SHA256df02b897e1e7a4381420ff2bf6be6573e15a655c1d5d3f53065f37b5ceddb9a5
SHA512082e59487136b2c35445eec7ac2d28415f425498bb952e9c2b428775e10c122e8434e1921d4daa79354cb66dd4e536ee46632762d852112c09e37cbf6001aec9
-
Filesize
296KB
MD517ce4e92ef13f45712f2ee4c8419b6a1
SHA1bc34ae7dbcfc2247b25994b7ccc794bc26c4726c
SHA2562b0c8f9d3f4f2a92fcb04b080070df8ab452e2328338cc018006cbae25c65e8a
SHA5129830536ef96a0bacaff30bc8e8e4191e527b0568caa305e19d275b715bd5b982ccd0db3abcde337541b569aa8ed369c3092ef18da2f8df3648a3483b3fbc481c