Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
120 seconds
Behavioral task
behavioral2
Sample
3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
21 signatures
120 seconds
General
-
Target
3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe
-
Size
212KB
-
MD5
9cb27937919a2c791fc108ceda0d6de0
-
SHA1
553703c7e64b4871751273ae77d3a20d96443c41
-
SHA256
3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf
-
SHA512
4fd9bf9b0a22da07503c2211b65f6c65304097a3fe6ad58451da06d374ebc9d84feeea28862b32a9f69cd28d5f0c6c08a9562dd4b2365cdf22b536d52ce5ca5f
-
SSDEEP
3072:c4/Wd8bsXQJl5v1l83PAUKpHqzQMyU6x2cgMRRvzcuNj5hDpqkoC:c4/23XQJ8IUKpHIQMyUpPMRRz1LPoC
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32SystemFile = "C:\\MSystem.exe" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftPCHealth = "C:\\Windows\\System32\\PCHealth.exe" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Application Installer = "C:\\Windows\\Installer\\Installer.exe" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\T: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\V: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\G: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\H: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\L: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\P: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\J: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\N: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\R: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\Z: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\K: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\M: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\W: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\X: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\U: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\E: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\I: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\O: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened (read-only) \??\Q: 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification F:\autorun.inf 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\PCHealth.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File created C:\Windows\SysWOW64\PCHealth.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
resource yara_rule behavioral1/memory/2068-3-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-5-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-7-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-8-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-12-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-10-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-6-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-11-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-9-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-44-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-45-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-46-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-47-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-48-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-50-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-51-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-53-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-55-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-57-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-74-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-76-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-77-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-79-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-81-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-83-0x0000000002630000-0x00000000036BE000-memory.dmp upx behavioral1/memory/2068-97-0x0000000002630000-0x00000000036BE000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7Z.EXE 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZFM.EXE 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7ZG.EXE 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File created C:\Windows\Installer\Installer.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe File opened for modification C:\Windows\Installer\Installer.exe 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe Token: SeDebugPrivilege 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 380 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 3 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 396 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 4 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 432 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 5 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 476 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 6 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 492 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 7 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 500 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 8 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 596 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 9 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 672 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 10 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 760 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 11 PID 2068 wrote to memory of 820 2068 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe 12 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1956
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1400
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1052
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2404
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1072
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1160
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1216
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2060
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1908
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe"C:\Users\Admin\AppData\Local\Temp\3703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\490561722\zmstage.exeC:\Users\Admin\AppData\Local\Temp\490561722\zmstage.exe1⤵PID:1880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD59cb27937919a2c791fc108ceda0d6de0
SHA1553703c7e64b4871751273ae77d3a20d96443c41
SHA2563703bb46bea3b386482287c1d6b3c79ff4fe201ff843a804946d97f0e82b6fdf
SHA5124fd9bf9b0a22da07503c2211b65f6c65304097a3fe6ad58451da06d374ebc9d84feeea28862b32a9f69cd28d5f0c6c08a9562dd4b2365cdf22b536d52ce5ca5f
-
Filesize
105KB
MD585c30f7667336c01d3ca0a1fdaf11449
SHA198fe6d3cd7c6dc7d5901c179ab5eb9e33bd3fb11
SHA256432edbf85825628f39fd99deb2278cfaff7b5d090873b0c2eb2bb69c84b4b8d4
SHA512ebee7496ac0f57b1e94e4168375985019253c590e2a1b65d02d700238c2f8b35bf94b92d90dd22a8919b70ec818f13ee7db6d55776dfbc6bbfe2cea88027e68d