Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 10:07
Behavioral task
behavioral1
Sample
b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe
Resource
win7-20241010-en
windows7-x64
27 signatures
120 seconds
General
-
Target
b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe
-
Size
708KB
-
MD5
f9e4b8c0996aadb81b69c9a93ebba2b0
-
SHA1
fa85ca1759a704fd1cafe8777d6877f5deef3743
-
SHA256
b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287d
-
SHA512
4c5484859607f1af5771de029585cf2502f13b0cdf4ab298a4582454f8529719ec774af9168eedcaa0774ecc588bd2e90bbc1acc1c4294803f322e299487e142
-
SSDEEP
12288:7qU89vzAaKUaQqbWQrPBFSHvkJO1tmPY+QL2TFDhvfo:svzrpEWQ7zmvFYQL2FNw
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 6 IoCs
resource yara_rule behavioral2/memory/4964-0-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/files/0x0009000000023c91-9.dat family_neshta behavioral2/memory/4964-66-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4964-140-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4964-176-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral2/memory/4964-236-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Executes dropped EXE 2 IoCs
pid Process 3916 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 3476 Un_A.exe -
Loads dropped DLL 5 IoCs
pid Process 3476 Un_A.exe 3476 Un_A.exe 3476 Un_A.exe 3476 Un_A.exe 3476 Un_A.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
resource yara_rule behavioral2/memory/4964-3-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-12-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-14-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-19-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-15-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-20-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-16-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-4-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-13-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-1-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-41-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-42-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-49-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-50-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-60-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-61-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-84-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-141-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-142-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-146-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-147-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-165-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-166-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-173-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-174-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-175-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-179-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-180-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-195-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-197-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-198-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-200-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-202-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-204-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-208-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-210-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4964-237-0x0000000002300000-0x000000000338E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe File opened for modification C:\Windows\svchost.com b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe Token: SeDebugPrivilege 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3476 Un_A.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 780 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 8 PID 4964 wrote to memory of 788 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 9 PID 4964 wrote to memory of 380 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 13 PID 4964 wrote to memory of 2852 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 49 PID 4964 wrote to memory of 2872 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 50 PID 4964 wrote to memory of 2976 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 51 PID 4964 wrote to memory of 3432 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 56 PID 4964 wrote to memory of 3576 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 57 PID 4964 wrote to memory of 3768 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 58 PID 4964 wrote to memory of 3856 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 59 PID 4964 wrote to memory of 3920 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 60 PID 4964 wrote to memory of 4012 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 61 PID 4964 wrote to memory of 4164 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 62 PID 4964 wrote to memory of 4376 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 74 PID 4964 wrote to memory of 2500 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 76 PID 4964 wrote to memory of 3916 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 82 PID 4964 wrote to memory of 3916 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 82 PID 4964 wrote to memory of 3916 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 82 PID 3916 wrote to memory of 3476 3916 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 83 PID 3916 wrote to memory of 3476 3916 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 83 PID 3916 wrote to memory of 3476 3916 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 83 PID 4964 wrote to memory of 780 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 8 PID 4964 wrote to memory of 788 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 9 PID 4964 wrote to memory of 380 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 13 PID 4964 wrote to memory of 2852 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 49 PID 4964 wrote to memory of 2872 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 50 PID 4964 wrote to memory of 2976 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 51 PID 4964 wrote to memory of 3432 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 56 PID 4964 wrote to memory of 3576 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 57 PID 4964 wrote to memory of 3768 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 58 PID 4964 wrote to memory of 3856 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 59 PID 4964 wrote to memory of 3920 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 60 PID 4964 wrote to memory of 4012 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 61 PID 4964 wrote to memory of 4164 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 62 PID 4964 wrote to memory of 4376 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 74 PID 4964 wrote to memory of 2500 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 76 PID 4964 wrote to memory of 3476 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 83 PID 4964 wrote to memory of 3476 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 83 PID 4964 wrote to memory of 780 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 8 PID 4964 wrote to memory of 788 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 9 PID 4964 wrote to memory of 380 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 13 PID 4964 wrote to memory of 2852 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 49 PID 4964 wrote to memory of 2872 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 50 PID 4964 wrote to memory of 2976 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 51 PID 4964 wrote to memory of 3432 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 56 PID 4964 wrote to memory of 3576 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 57 PID 4964 wrote to memory of 3768 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 58 PID 4964 wrote to memory of 3856 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 59 PID 4964 wrote to memory of 3920 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 60 PID 4964 wrote to memory of 4012 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 61 PID 4964 wrote to memory of 4164 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 62 PID 4964 wrote to memory of 4376 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 74 PID 4964 wrote to memory of 2500 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 76 PID 4964 wrote to memory of 780 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 8 PID 4964 wrote to memory of 788 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 9 PID 4964 wrote to memory of 380 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 13 PID 4964 wrote to memory of 2852 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 49 PID 4964 wrote to memory of 2872 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 50 PID 4964 wrote to memory of 2976 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 51 PID 4964 wrote to memory of 3432 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 56 PID 4964 wrote to memory of 3576 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 57 PID 4964 wrote to memory of 3768 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 58 PID 4964 wrote to memory of 3856 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 59 PID 4964 wrote to memory of 3920 4964 b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe 60 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2872
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2976
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe"C:\Users\Admin\AppData\Local\Temp\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3582-490\4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3476
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4376
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2500
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57B6CD_Rar\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe
Filesize636KB
MD5e5bdd939dc6828ae594924ca3c412de7
SHA1485a4b10130aba2ee7b7b56e32e30a057b1e7ce1
SHA2569874a5d03de96b51f58bb519c3078229a0a2ea125a53ea99fdca25d8cfa981b8
SHA512d9cac72410c6af62b4f736679f4e3cc40d9167ae7053c2b31a11b47cdf0a73e60184813f335079aa095e67817ec8f517fce6810cad458d7a85a4032ae0b03a7c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b91d629f3b3f5c4ec1d2daa9f39ad57233d088e3bc5391a5b9ea1cf0b9a2287dN.exe
Filesize596KB
MD5e412b724c184019372091156991f25d7
SHA171e0ae3fa7db2568365c7eac5dd982c0dad23eae
SHA256aa48ff7c848a2631d823b6e1696c147509a601d813a8f7268d3b621b78933ce9
SHA512c6d0c8339f41d29c04ff0eec376abf574be22b5a7e60bbc3c3969f1d50e018f250cf9013e142170c117d4fe2945462d1d3ef3191fa6fa28a4032debf179aa973
-
Filesize
5KB
MD530b091668111ab1d6c19f16586a9eee5
SHA1aea49d81cf9972eaf1604793c04d13ddffe2c475
SHA256331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb
SHA5126dd592af085b2e28c54d7f525916112dbf5cfe134393b0b97f8f1f64739cf90962273c51f02e8ce2c623cf6aa8355eacda5db0b0256d8f05a77ccf0f99d11648
-
Filesize
99KB
MD57abf66bab64e83da7a4da626bc34493a
SHA1c3adab85d079b75b0c46f6b25fd2a736687624c5
SHA256cbe5843990076d7cda9fe83aa305d66d3a0ffdcca932ef23114d1b3a491924f9
SHA512f1beeb7df3e24daa72bdb093ea655d236c601e55f039322676f80c8aace0d39af6fab78be6b6b63e9486473f78dae42a762022f776b55d118c7a20948990dd5e
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
2KB
MD59a3031cc4cef0dba236a28eecdf0afb5
SHA1708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA25653bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
SHA5128fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53