Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 02:09
Behavioral task
behavioral1
Sample
a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
120 seconds
General
-
Target
a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe
-
Size
612KB
-
MD5
ba287c26a6c5cafe168e8ac392381be2
-
SHA1
acabd610f68bd6a288d42916afd0194898f53d75
-
SHA256
a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943
-
SHA512
494166f4872b2b589c85fd36140ca667bb8766dbd65eecfc6ab110a679f581dae243c68cc09f96e32c2a10e7918475a46f1987db731a10e647cde1106d8fdb5f
-
SSDEEP
6144:XNrgqE3QZ4/KjrWFiU6K73uZwUlgWPMOHSSj80i7idui1Yl6ns3hk:2U4/hFis73p1+OGgi7ghk
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 6 IoCs
resource yara_rule behavioral2/memory/1904-0-0x0000000000400000-0x000000000042C000-memory.dmp family_neshta behavioral2/files/0x0009000000023c8b-6.dat family_neshta behavioral2/memory/1904-41-0x0000000000400000-0x000000000042C000-memory.dmp family_neshta behavioral2/memory/1904-144-0x0000000000400000-0x000000000042C000-memory.dmp family_neshta behavioral2/memory/1904-167-0x0000000000400000-0x000000000042C000-memory.dmp family_neshta behavioral2/memory/1904-193-0x0000000000400000-0x000000000042C000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
resource yara_rule behavioral2/memory/1904-12-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-17-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-19-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-16-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-9-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-15-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-8-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-20-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-22-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-30-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-31-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-33-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-34-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-35-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-39-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-56-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-114-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-128-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-129-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-132-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-133-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-134-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-136-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-138-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-139-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-142-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-143-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-147-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-148-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-151-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-152-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-155-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-156-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-158-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-159-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-160-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-163-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-164-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-173-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/1904-194-0x0000000002300000-0x000000000338E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe File opened for modification C:\Windows\svchost.com a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe Token: SeDebugPrivilege 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 784 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 8 PID 1904 wrote to memory of 792 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 9 PID 1904 wrote to memory of 316 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 13 PID 1904 wrote to memory of 2656 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 44 PID 1904 wrote to memory of 2664 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 45 PID 1904 wrote to memory of 2772 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 47 PID 1904 wrote to memory of 3556 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 56 PID 1904 wrote to memory of 3676 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 57 PID 1904 wrote to memory of 3884 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 58 PID 1904 wrote to memory of 3972 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 59 PID 1904 wrote to memory of 4040 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 60 PID 1904 wrote to memory of 1016 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 61 PID 1904 wrote to memory of 4008 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 62 PID 1904 wrote to memory of 4788 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 75 PID 1904 wrote to memory of 3668 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 76 PID 1904 wrote to memory of 2728 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 81 PID 1904 wrote to memory of 784 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 8 PID 1904 wrote to memory of 792 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 9 PID 1904 wrote to memory of 316 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 13 PID 1904 wrote to memory of 2656 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 44 PID 1904 wrote to memory of 2664 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 45 PID 1904 wrote to memory of 2772 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 47 PID 1904 wrote to memory of 3556 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 56 PID 1904 wrote to memory of 3676 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 57 PID 1904 wrote to memory of 3884 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 58 PID 1904 wrote to memory of 3972 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 59 PID 1904 wrote to memory of 4040 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 60 PID 1904 wrote to memory of 1016 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 61 PID 1904 wrote to memory of 4008 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 62 PID 1904 wrote to memory of 4788 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 75 PID 1904 wrote to memory of 3668 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 76 PID 1904 wrote to memory of 784 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 8 PID 1904 wrote to memory of 792 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 9 PID 1904 wrote to memory of 316 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 13 PID 1904 wrote to memory of 2656 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 44 PID 1904 wrote to memory of 2664 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 45 PID 1904 wrote to memory of 2772 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 47 PID 1904 wrote to memory of 3556 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 56 PID 1904 wrote to memory of 3676 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 57 PID 1904 wrote to memory of 3884 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 58 PID 1904 wrote to memory of 3972 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 59 PID 1904 wrote to memory of 4040 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 60 PID 1904 wrote to memory of 1016 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 61 PID 1904 wrote to memory of 4008 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 62 PID 1904 wrote to memory of 4788 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 75 PID 1904 wrote to memory of 3668 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 76 PID 1904 wrote to memory of 784 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 8 PID 1904 wrote to memory of 792 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 9 PID 1904 wrote to memory of 316 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 13 PID 1904 wrote to memory of 2656 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 44 PID 1904 wrote to memory of 2664 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 45 PID 1904 wrote to memory of 2772 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 47 PID 1904 wrote to memory of 3556 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 56 PID 1904 wrote to memory of 3676 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 57 PID 1904 wrote to memory of 3884 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 58 PID 1904 wrote to memory of 3972 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 59 PID 1904 wrote to memory of 4040 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 60 PID 1904 wrote to memory of 1016 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 61 PID 1904 wrote to memory of 4008 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 62 PID 1904 wrote to memory of 4788 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 75 PID 1904 wrote to memory of 3668 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 76 PID 1904 wrote to memory of 784 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 8 PID 1904 wrote to memory of 792 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 9 PID 1904 wrote to memory of 316 1904 a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2772
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe"C:\Users\Admin\AppData\Local\Temp\a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4008
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3668
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E579FDA_Rar\a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe
Filesize544KB
MD5533c91a3ea4e6fb54d40e099538d3b7f
SHA1056e17501aba3480856847ebe266f5e030db8fff
SHA25676c3b4329fff4540fa0fe5c9370f3de924ef60247d00d5d957d8a8abba0a28f8
SHA51289a1ec5a033798bbf0a49b8c4fbfe8ee12726c15578d6e0fd83b4c989da9d77ee9928c7a6ada862c098fa250e944acfd18a1c466f4d72fc216630e7bdb8409ca
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a65cf9ee76d9f146f847f848a9f736ac9fb4444db5bb9c9341a83c38a4ccf943.exe
Filesize503KB
MD5c015a940874789cd14f9e22f76a27ec9
SHA1400a940dc0d095e2e1b68f0276a05db996030e96
SHA2566c66c91abe95b3dbfc183d3095609e411d4e2698a086bea78e89142f142c4d6d
SHA512c711f95f502fa9e1286167c965e6efba82878914109d4e2a6c3166d64d7ee207c1604155afce30e34d0dc13e0051f22beb6e323ed7592981791f362b6af26f8a