Analysis
-
max time kernel
19s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31-12-2024 20:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe
Resource
win7-20241023-en
windows7-x64
25 signatures
120 seconds
General
-
Target
2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe
-
Size
287KB
-
MD5
97de8c76a2cde363aa8926b908a685b0
-
SHA1
f35da97b5c887602dfcc1bb2dead77fee6912f5a
-
SHA256
2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721
-
SHA512
afcce30ff403743d9213cf98e0f7b974cfaaeed4e9cf18c109e2f0afba820a708922bfe875702b065d3bb5b626ea9aa0f78fce1d807f1d3df2033550c4e1e9fa
-
SSDEEP
6144:6vEB2U+T6i5LirrllHy4HUcMQY6BSvOluXh2C:kEBN+T5xYrllrU7QY6BwNEC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Deletes itself 1 IoCs
pid Process 2924 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2924 explorer.exe 3040 spoolsv.exe 2740 svchost.exe 2692 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2924 explorer.exe 2924 explorer.exe 3040 spoolsv.exe 3040 spoolsv.exe 2740 svchost.exe 2740 svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe -
resource yara_rule behavioral1/memory/2464-1-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-6-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-8-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-3-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-5-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-9-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-22-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-10-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-7-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-39-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-40-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2464-68-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2924-103-0x00000000033E0000-0x000000000446E000-memory.dmp upx behavioral1/memory/2924-104-0x00000000033E0000-0x000000000446E000-memory.dmp upx behavioral1/memory/2924-101-0x00000000033E0000-0x000000000446E000-memory.dmp upx behavioral1/memory/2924-127-0x00000000033E0000-0x000000000446E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe File opened for modification \??\c:\windows\system\explorer.exe 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2924 explorer.exe 2740 svchost.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe 2924 explorer.exe 2740 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2924 explorer.exe 2740 svchost.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 2924 explorer.exe 2924 explorer.exe 3040 spoolsv.exe 3040 spoolsv.exe 2740 svchost.exe 2740 svchost.exe 2692 spoolsv.exe 2692 spoolsv.exe 2924 explorer.exe 2924 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2464 wrote to memory of 1060 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 17 PID 2464 wrote to memory of 1100 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 18 PID 2464 wrote to memory of 1120 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 20 PID 2464 wrote to memory of 468 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 25 PID 2464 wrote to memory of 2924 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 30 PID 2464 wrote to memory of 2924 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 30 PID 2464 wrote to memory of 2924 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 30 PID 2464 wrote to memory of 2924 2464 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe 30 PID 2924 wrote to memory of 3040 2924 explorer.exe 31 PID 2924 wrote to memory of 3040 2924 explorer.exe 31 PID 2924 wrote to memory of 3040 2924 explorer.exe 31 PID 2924 wrote to memory of 3040 2924 explorer.exe 31 PID 3040 wrote to memory of 2740 3040 spoolsv.exe 32 PID 3040 wrote to memory of 2740 3040 spoolsv.exe 32 PID 3040 wrote to memory of 2740 3040 spoolsv.exe 32 PID 3040 wrote to memory of 2740 3040 spoolsv.exe 32 PID 2740 wrote to memory of 2692 2740 svchost.exe 33 PID 2740 wrote to memory of 2692 2740 svchost.exe 33 PID 2740 wrote to memory of 2692 2740 svchost.exe 33 PID 2740 wrote to memory of 2692 2740 svchost.exe 33 PID 2740 wrote to memory of 1996 2740 svchost.exe 34 PID 2740 wrote to memory of 1996 2740 svchost.exe 34 PID 2740 wrote to memory of 1996 2740 svchost.exe 34 PID 2740 wrote to memory of 1996 2740 svchost.exe 34 PID 2924 wrote to memory of 1060 2924 explorer.exe 17 PID 2924 wrote to memory of 1100 2924 explorer.exe 18 PID 2924 wrote to memory of 1120 2924 explorer.exe 20 PID 2924 wrote to memory of 468 2924 explorer.exe 25 PID 2924 wrote to memory of 2740 2924 explorer.exe 32 PID 2924 wrote to memory of 2740 2924 explorer.exe 32 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe"C:\Users\Admin\AppData\Local\Temp\2caac9b6e8715edc61c6bd764469bedc0c48c0398779b3d7ec147617c4d99721N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Windows\SysWOW64\at.exeat 20:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:468
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD5b1c2b89bf40d2430a90329d6849e9650
SHA10b6549d01ca4ee8756fb8bc65b30faed8446804c
SHA256aacfedce18d1ea754e796593908a6f61fc88a87955ff22de9eabe3911fcc6bf1
SHA5129657a278c642b0480e523409fa31f35ae830eb9ba6e8a8de72292a5f3b4c87a4f0bb7dbe769c439578b8d0fb07c7e50b255c9bd7424414d393bef2d7c4de55f6
-
Filesize
257B
MD531190ecc23a3577770d6981c9618b42b
SHA1c3ca25f27bba1e410129a27860ee9fea33bf4706
SHA2564926a4c6fb6bdd007da94acbe1304adaef423bb44b15a37a1374fd2e9bb722b5
SHA512a76b55853c929926ab1717e70643ea5687d89b89ad29fbc8a0def869f36a9830d718d14887f8b349af7f7e84fdf33bd366d569c681879cf25ad7c399dfcf37dd
-
Filesize
288KB
MD53dc46cc82991765c1c9fbeb2477037aa
SHA1caa1b82d34bfd737e5aab7516ae6e333568a6203
SHA2563659904519a43f39a76d66a97bfac9693d4c01b2c547b2d1d6f62245e3b1d58f
SHA512a5e55ccd58605835ae649c338fe9fd9e8e87ef123987663a1191e0dcfce3e84b9c40148e1d63cc9bc7a1904019fd75353c89d567da5e955a489c4264fb6e2c22
-
Filesize
287KB
MD525017400bd4c5a44668d08fd5ab44834
SHA1262278e0efdcf88c4c0fdd34c9564583ac3b33af
SHA256510860c2f068ed556292c1bb5647f3592a3b1490095e203948917764b52d8339
SHA51232cbc52497d1a45d140d293028f8442eb617144b8a8ff1a265da3a6dbffa55d741634cca2fe19914b14cc5add186349f6de45bcd2a34648cc3b1650599b7139a
-
Filesize
287KB
MD5b8c598aa765696dc45d366cfdbb655bc
SHA188063908feb53665aa70def8c9af9144cdbccfa0
SHA256f9d331ebca2cfc634884e424f558b33cbb955b301e04b40f264d0edf1a9ea7c2
SHA512767951fec4b61961a466c6312982426403b45f4f00ce15b1556a201f055d916313aad1ab3cc4278209f53b2e149d5ac86d2de59f22d0480dc09525d1d22e56c7