Analysis
-
max time kernel
52s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 23:26
Behavioral task
behavioral1
Sample
98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
Resource
win7-20241023-en
windows7-x64
27 signatures
120 seconds
General
-
Target
98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
-
Size
199KB
-
MD5
217e41f6c25d038647a7442444f73ac0
-
SHA1
6296791ef6ed5b2a0ef18f2a0af986f9596939ee
-
SHA256
98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572f
-
SHA512
b1cfb43fa8db915b9b4be3a682e6870d3321ff808ca33e45ae57042e3ca200f4307d601c199e41b8a9cb0e0bcd969f5b5d35842403330e861366f0081aebf4d4
-
SSDEEP
3072:7r8uCJwMEHdNOy+eP/rM71eYQUXlqBRfpj46MQCcA5Cf0Gy4i8qQtHSUgmQ:3CJXAkp2r+QUXWS6MXi10KQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 7 IoCs
resource yara_rule behavioral2/memory/1516-0-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/files/0x0008000000023cbc-6.dat family_neshta behavioral2/memory/1516-127-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1516-132-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1516-153-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1516-178-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral2/memory/1516-203-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Deletes itself 1 IoCs
pid Process 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Executes dropped EXE 1 IoCs
pid Process 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
resource yara_rule behavioral2/memory/1516-1-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-12-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-11-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-10-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-13-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-14-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-16-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-19-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/files/0x0007000000023cc1-25.dat upx behavioral2/memory/1516-15-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/4956-117-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/1516-118-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-119-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-120-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-121-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-122-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-123-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-124-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/4956-131-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/1516-135-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-139-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-140-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/4956-141-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/1516-142-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-145-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-146-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-147-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-149-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-150-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-152-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-154-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-155-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/4956-161-0x0000000000400000-0x000000000041B000-memory.dmp upx behavioral2/memory/1516-162-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-163-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-165-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-168-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-169-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-172-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-173-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-174-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-176-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-177-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/1516-204-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/4956-216-0x0000000004260000-0x00000000052EE000-memory.dmp upx behavioral2/memory/4956-232-0x0000000004260000-0x00000000052EE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe File opened for modification C:\Windows\svchost.com 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 4956 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Token: SeDebugPrivilege 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 776 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 8 PID 1516 wrote to memory of 784 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 9 PID 1516 wrote to memory of 1012 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 13 PID 1516 wrote to memory of 2632 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 44 PID 1516 wrote to memory of 2644 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 45 PID 1516 wrote to memory of 2732 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 47 PID 1516 wrote to memory of 3424 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 56 PID 1516 wrote to memory of 3568 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 57 PID 1516 wrote to memory of 3744 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 58 PID 1516 wrote to memory of 3832 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 59 PID 1516 wrote to memory of 3896 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 60 PID 1516 wrote to memory of 3980 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 61 PID 1516 wrote to memory of 4148 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 62 PID 1516 wrote to memory of 4736 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 75 PID 1516 wrote to memory of 5068 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 76 PID 1516 wrote to memory of 4676 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 81 PID 1516 wrote to memory of 4956 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 83 PID 1516 wrote to memory of 4956 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 83 PID 1516 wrote to memory of 4956 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 83 PID 1516 wrote to memory of 776 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 8 PID 1516 wrote to memory of 784 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 9 PID 1516 wrote to memory of 1012 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 13 PID 1516 wrote to memory of 2632 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 44 PID 1516 wrote to memory of 2644 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 45 PID 1516 wrote to memory of 2732 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 47 PID 1516 wrote to memory of 3424 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 56 PID 1516 wrote to memory of 3568 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 57 PID 1516 wrote to memory of 3744 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 58 PID 1516 wrote to memory of 3832 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 59 PID 1516 wrote to memory of 3896 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 60 PID 1516 wrote to memory of 3980 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 61 PID 1516 wrote to memory of 4148 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 62 PID 1516 wrote to memory of 4736 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 75 PID 1516 wrote to memory of 5068 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 76 PID 1516 wrote to memory of 4676 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 81 PID 1516 wrote to memory of 4956 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 83 PID 1516 wrote to memory of 4956 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 83 PID 1516 wrote to memory of 776 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 8 PID 1516 wrote to memory of 784 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 9 PID 1516 wrote to memory of 1012 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 13 PID 1516 wrote to memory of 2632 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 44 PID 1516 wrote to memory of 2644 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 45 PID 1516 wrote to memory of 2732 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 47 PID 1516 wrote to memory of 3424 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 56 PID 1516 wrote to memory of 3568 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 57 PID 1516 wrote to memory of 3744 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 58 PID 1516 wrote to memory of 3832 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 59 PID 1516 wrote to memory of 3896 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 60 PID 1516 wrote to memory of 3980 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 61 PID 1516 wrote to memory of 4148 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 62 PID 1516 wrote to memory of 4736 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 75 PID 1516 wrote to memory of 5068 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 76 PID 1516 wrote to memory of 776 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 8 PID 1516 wrote to memory of 784 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 9 PID 1516 wrote to memory of 1012 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 13 PID 1516 wrote to memory of 2632 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 44 PID 1516 wrote to memory of 2644 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 45 PID 1516 wrote to memory of 2732 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 47 PID 1516 wrote to memory of 3424 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 56 PID 1516 wrote to memory of 3568 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 57 PID 1516 wrote to memory of 3744 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 58 PID 1516 wrote to memory of 3832 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 59 PID 1516 wrote to memory of 3896 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 60 PID 1516 wrote to memory of 3980 1516 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2644
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2732
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"C:\Users\Admin\AppData\Local\Temp\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4956
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5068
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD5894e6c2ff10cf764a0eebf94949b2dc0
SHA18e3b03bb335975381156f6922d5ecd05c8b8925d
SHA2563517ddf989b2dadfc4c51f10e9fc92d0f0ebb609f622a92c529ba590cbeeef59
SHA5122928bb5ff189f8e5bcbabe5114c0df1b6f2250df97537a3aa7058705f6259eac4f54ad642feb0f5288d6f92cd2787e7fa91c185f1cc659ee3b8c4311d3d9a9b9
-
C:\Users\Admin\AppData\Local\Temp\0E57B13F_Rar\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
Filesize123KB
MD50b821290c68397ceb82e72bc2461dd75
SHA1abbaf25d5f6b704e96fd8c4c5b7167bedb9ff89a
SHA256da6a93a2ca6474486cf329773e9c9c0d807637e2a4688f9d24dbc20f70da3fb5
SHA5128a5f7427b680882ff4645c8278a50c3b0d58de1e9cdf0e69c2940f94fbef03b47292a9c3a6be08f38e69870efcaf5a7262a0e3f272127021d2fe91b12044da23
-
C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
Filesize83KB
MD51a3dcedfc4ec7ba61d6ce98d5f19bc33
SHA1954cb7e1294cc1ccab1320c612940dc856dd53d5
SHA256b555293909b18eb3e9f75ab825c8434c55913c8f1f2f67a0bd8cce41e6b04abd
SHA51234f0aa716b6585068dab63f9f801002fa18d7f711b404711bc3e4351c2dd3798e479feba9969a743522051285b01e7379ec6d150270eea9b4c7eaec919f59925
-
Filesize
234KB
MD55b81e9752b3c6aa1fd2c9cb51f669990
SHA1ca230a996615b2cad922a1c202bbf08b6341fca6
SHA256b0cdd17f0f4b643b3e62c2f3fb361943264b423b60999e0142eb66a06e98ec3d
SHA5122be248e86856889bd36d90d5f2eb8025d6e099a3f16728b299f8df33e3c7ac98645240f67f02fd05c32bc360f0493d846b41fb11dac3c90ca3ebf15ef83562e8
-
Filesize
257B
MD59f161518fb8c07f36d3c2a754364f984
SHA134ad54818eb15eabba67502bd061a4cafb6a9d24
SHA2562fa6a93a04d50cb8cce6064e4ae43da6a803f2e76af738a439dac6d3da710078
SHA512ee9822ff08890f2e1414982e78c62130b21a7993a28e0d539e3a08d1e13dc10cff72757fa923496cdd98a82074c5443ad4fb0c3718a66bb24a1628bd80debad7