Analysis
-
max time kernel
114s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2025 23:42
Behavioral task
behavioral1
Sample
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
General
-
Target
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
-
Size
418KB
-
MD5
58eb136fdbe15037179b44f133723c33
-
SHA1
c83e920a5b0a1f684c265208d0195829e36dfe79
-
SHA256
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9
-
SHA512
c4f76809365c7df3ef8e13a2caa799906847d88f8e4cee8b034e77f193e2e9f9f28fd03035e11f940ab340cfd9e40019f5875ccb3543a454289d0002d29ff0ed
-
SSDEEP
3072:Lr8zCz/U1KZvMivW+0g/W+fFHScL9/zRFuvxEJwDijpS4DbYc4:H/fvMA0+WEFycLhzevxEJF8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 7 IoCs
resource yara_rule behavioral2/memory/4488-0-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/files/0x000a000000023b75-10.dat family_neshta behavioral2/memory/4488-160-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4488-163-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4488-195-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4488-209-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4488-226-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Executes dropped EXE 2 IoCs
pid Process 4016 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4492 Un_A.exe -
Loads dropped DLL 7 IoCs
pid Process 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
resource yara_rule behavioral2/memory/4488-5-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-4-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-3-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-17-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-18-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-14-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-19-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-13-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-22-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-40-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-44-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-67-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-139-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-153-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-155-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-156-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-159-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-158-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-164-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-167-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-169-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-170-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-171-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-173-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-177-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-178-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-179-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-181-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-183-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-189-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-190-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-194-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-196-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-197-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-198-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-200-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-201-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-202-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-206-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-207-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-208-0x0000000002330000-0x00000000033BE000-memory.dmp upx behavioral2/memory/4488-227-0x0000000002330000-0x00000000033BE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\Windows\svchost.com 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000a000000023b75-10.dat nsis_installer_2 behavioral2/files/0x000a000000023b77-26.dat nsis_installer_1 behavioral2/files/0x000a000000023b77-26.dat nsis_installer_2 -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4492 Un_A.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4488 wrote to memory of 788 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 8 PID 4488 wrote to memory of 796 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 9 PID 4488 wrote to memory of 384 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 13 PID 4488 wrote to memory of 2648 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 44 PID 4488 wrote to memory of 2664 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 45 PID 4488 wrote to memory of 2744 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 47 PID 4488 wrote to memory of 3460 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 56 PID 4488 wrote to memory of 3676 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 57 PID 4488 wrote to memory of 3844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 58 PID 4488 wrote to memory of 3940 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 59 PID 4488 wrote to memory of 4000 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 60 PID 4488 wrote to memory of 4092 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 61 PID 4488 wrote to memory of 4188 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 62 PID 4488 wrote to memory of 1624 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 75 PID 4488 wrote to memory of 844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 76 PID 4488 wrote to memory of 4016 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 82 PID 4488 wrote to memory of 4016 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 82 PID 4488 wrote to memory of 4016 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 82 PID 4016 wrote to memory of 4492 4016 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 83 PID 4016 wrote to memory of 4492 4016 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 83 PID 4016 wrote to memory of 4492 4016 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 83 PID 4492 wrote to memory of 3556 4492 Un_A.exe 84 PID 4492 wrote to memory of 3556 4492 Un_A.exe 84 PID 4492 wrote to memory of 3556 4492 Un_A.exe 84 PID 4492 wrote to memory of 4520 4492 Un_A.exe 86 PID 4492 wrote to memory of 4520 4492 Un_A.exe 86 PID 4492 wrote to memory of 4520 4492 Un_A.exe 86 PID 4492 wrote to memory of 3956 4492 Un_A.exe 88 PID 4492 wrote to memory of 3956 4492 Un_A.exe 88 PID 4492 wrote to memory of 3956 4492 Un_A.exe 88 PID 4488 wrote to memory of 788 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 8 PID 4488 wrote to memory of 796 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 9 PID 4488 wrote to memory of 384 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 13 PID 4488 wrote to memory of 2648 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 44 PID 4488 wrote to memory of 2664 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 45 PID 4488 wrote to memory of 2744 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 47 PID 4488 wrote to memory of 3460 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 56 PID 4488 wrote to memory of 3676 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 57 PID 4488 wrote to memory of 3844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 58 PID 4488 wrote to memory of 3940 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 59 PID 4488 wrote to memory of 4000 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 60 PID 4488 wrote to memory of 4092 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 61 PID 4488 wrote to memory of 4188 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 62 PID 4488 wrote to memory of 1624 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 75 PID 4488 wrote to memory of 844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 76 PID 4488 wrote to memory of 788 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 8 PID 4488 wrote to memory of 796 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 9 PID 4488 wrote to memory of 384 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 13 PID 4488 wrote to memory of 2648 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 44 PID 4488 wrote to memory of 2664 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 45 PID 4488 wrote to memory of 2744 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 47 PID 4488 wrote to memory of 3460 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 56 PID 4488 wrote to memory of 3676 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 57 PID 4488 wrote to memory of 3844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 58 PID 4488 wrote to memory of 3940 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 59 PID 4488 wrote to memory of 4000 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 60 PID 4488 wrote to memory of 4092 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 61 PID 4488 wrote to memory of 4188 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 62 PID 4488 wrote to memory of 1624 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 75 PID 4488 wrote to memory of 844 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 76 PID 4488 wrote to memory of 788 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 8 PID 4488 wrote to memory of 796 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 9 PID 4488 wrote to memory of 384 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 13 PID 4488 wrote to memory of 2648 4488 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2744
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"C:\Users\Admin\AppData\Local\Temp\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3582-490\4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Boot Scan" /f5⤵
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Start" /f5⤵
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Monitor" /f5⤵
- System Location Discovery: System Language Discovery
PID:3956
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:844
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57B1DB_Rar\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Filesize346KB
MD5f2c47304fd5347c1274418796da953c0
SHA18a76e411b32c094a03e8a1462cdd522fd2133846
SHA2565c7eca3fd4a4a610aa29a0ab31ee97eeff640875383e048f7950a2aa13702681
SHA5123684923989bc750cb0c09f3b18f8b9ad3ef0cf263fdbc8abcb5ac44ead73b4588de5fb06749dadb7a22d10c07fce74fbca1c8cb5ceaaa7f98e27f98f54423453
-
C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Filesize305KB
MD503d79a2f4369678343f8f99afa39dc5f
SHA107154dbea3dde2c3c924cf91c87bf984b5f3d654
SHA25627158949ee4a1d8149648258f8ec57d906c21ec07d5cdf1d011b4407f0d0eb85
SHA51293d80fb5046e9836b8c62985cb2594df95a2d76a0c0b9568675cc2ffae800c3644edc8cb4bc04b204309551683d01e64cbf52cd4136ff624b0b61717ad58bfb1
-
Filesize
6KB
MD5b38561661a7164e3bbb04edc3718fe89
SHA1f13c873c8db121ba21244b1e9a457204360d543f
SHA256c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf