Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 12:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe
-
Size
148KB
-
MD5
404947edee1d702d11a2873ecae9c683
-
SHA1
59f74dc10e68943542a80e747e46b4c08b246a05
-
SHA256
164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747
-
SHA512
c6c7e733913a11a00cea3be60d88d241dc851fd6d6d60a26c6a3f22342edef419472bfa7dcbf3fca3f475fc938f8642976e7cb6b7635b69852d20e8bb7e73420
-
SSDEEP
3072:oEfewELA9HsfRnewjc1/qMkOWywq3xyZzonH/75VJ5Dyi+iKwHaGgyBC7fA:oEfBELA9HsvOYq3AZonHj5V8lwHaGVC4
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
resource yara_rule behavioral2/memory/3468-1-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-3-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-5-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-9-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-8-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-12-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-13-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-14-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-4-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-15-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-16-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-17-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-18-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-19-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-21-0x0000000002450000-0x00000000034DE000-memory.dmp upx behavioral2/memory/3468-24-0x0000000002450000-0x00000000034DE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005f92c4b570db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "44" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2534769206" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DOMStorage\qqgame.qq.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158453" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093f113940277094cbb61da2417b1285f000000000200000000001066000000010000200000009be96d891cf605e742e40f29dab483564f3d75e83f3e06754dcac5835dc24250000000000e800000000200002000000042d75a0dfb908ea620140aaed739bf2968c9af9f05b443ad5395885c1a33eb0220000000ac2c026e0d0fc21276e545ee8b3b59350de41f859de50d7c6777f8fd5c8bb3ea40000000d888c0c4c124b0cacfe33ffe8f117f87d70d76146018a036405b67490dc09b26c6d93ddd955a2a773a318d67863fdd8db2ce0fd3672417349729564ec91d9ce6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C2355749-DCA8-11EF-B9D5-DEEFF298442C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158453" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009b88c4b570db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093f113940277094cbb61da2417b1285f000000000200000000001066000000010000200000002ac1c74df18f6af9c3d4c1c7dcd90ccb80e49faa86a4bdb1aa003887aab2e103000000000e8000000002000020000000b1abda8d22799c9e76538fb62103ecf500f11dbc4b85c7d9b60d95aa35d3899620000000172825c7062eaa83f615a5d42ff1a2f02c80c5d6d6bd967e57e0a5311843175f4000000012108a376994fbf073725b9ac8d6104acfa46afc2db3fdcf617e8fde17b1e8c24c78218ca9cf573d34b2af3073deb9107b5eb2866ebe7f7978604074c57a5e61 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444745259" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qqgame.qq.com\ = "44" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\Total = "44" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2536956816" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{D85BBA62-5868-402A-8538-947D426C5BA7} IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe Token: SeDebugPrivilege 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2744 iexplore.exe 2744 iexplore.exe 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3468 wrote to memory of 780 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 8 PID 3468 wrote to memory of 788 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 9 PID 3468 wrote to memory of 1020 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 13 PID 3468 wrote to memory of 2316 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 51 PID 3468 wrote to memory of 1400 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 52 PID 3468 wrote to memory of 3104 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 53 PID 3468 wrote to memory of 3392 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 56 PID 3468 wrote to memory of 3556 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 57 PID 3468 wrote to memory of 3740 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 58 PID 3468 wrote to memory of 3836 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 59 PID 3468 wrote to memory of 3900 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 60 PID 3468 wrote to memory of 3984 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 61 PID 3468 wrote to memory of 3384 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 62 PID 3468 wrote to memory of 400 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 75 PID 3468 wrote to memory of 1852 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 76 PID 3468 wrote to memory of 780 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 8 PID 3468 wrote to memory of 788 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 9 PID 3468 wrote to memory of 1020 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 13 PID 3468 wrote to memory of 2316 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 51 PID 3468 wrote to memory of 1400 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 52 PID 3468 wrote to memory of 3104 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 53 PID 3468 wrote to memory of 3392 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 56 PID 3468 wrote to memory of 3556 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 57 PID 3468 wrote to memory of 3740 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 58 PID 3468 wrote to memory of 3836 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 59 PID 3468 wrote to memory of 3900 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 60 PID 3468 wrote to memory of 3984 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 61 PID 3468 wrote to memory of 3384 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 62 PID 3468 wrote to memory of 400 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 75 PID 3468 wrote to memory of 1852 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 76 PID 3468 wrote to memory of 2744 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 82 PID 3468 wrote to memory of 2744 3468 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe 82 PID 2744 wrote to memory of 2108 2744 iexplore.exe 83 PID 2744 wrote to memory of 2108 2744 iexplore.exe 83 PID 2744 wrote to memory of 2108 2744 iexplore.exe 83 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1400
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe"C:\Users\Admin\AppData\Local\Temp\164bcf726a43c1f0f9e2cc48f3475a93729573f72a5b59877d59ba5ea608e747.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3468 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://qqgame.qq.com3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3384
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:400
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1852
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x2c81⤵PID:4064
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD565ff4e1a660b03c192195dc09416d8a8
SHA1c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9
SHA25625f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2
SHA5123efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD58c54b1112112c277c0d517fcc849fe34
SHA154c4f2b719499d16d72a4c0d57dc48f3c59a3306
SHA25622e57bf24ab0f4aba95d13ba3fd07715ff878cacec93dc1a17b7861c44b346de
SHA5122b04df2e69b5c6b991cc112bd37f5598c911c267dcd2d621f3b6370711cf0014d8a8867bb101a9ee0c45846e8371c99d318cc7687426a8736b98410103882117
-
Filesize
9KB
MD56fd4ae56e40c64896f0f560eea432088
SHA105541dfcda330777b8ac75507a7bbdba95edc9f9
SHA2565dcb528e63b7e355a4ff1d5e0335fbf4b4b8ef786b0e182e40a425d6c6407e5b
SHA5120db6f305314f5fa18bb582d32cc951c754decd08fd0bad6f0896712587dc240e7e1efd1452c8b13541d8feff133478d8944bd1216377ff599c39adf75427a7ae
-
Filesize
9KB
MD50aae30aa38a61809a8d81f2cfd32cc7f
SHA12b2c2b90f2c5de416c88410223ec9635892795c9
SHA256fb8c48cd59749973a78fdeea301c9126279e7ad59cf385c8ada93b2620e51965
SHA512c2f6c51ac3e74e6f9f7d1cd846911be7018834ffdf70a5da57e128dbc90388735d7f27b1b811aacd44a4689f91dcb20cb3a2144ebb145a39d3a3e094d46959e6
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee