Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2025 08:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abc/R700,.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
abc/R700,.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral3
Sample
abc/abc3;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral4
Sample
abc/abc3;.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral5
Sample
abc/abc7;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral6
Sample
abc/abc7;.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral7
Sample
abc/new;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
abc/R700,.exe
-
Size
1.2MB
-
MD5
7683790ae33576643b69c12d640fd5fc
-
SHA1
adbd241d4dc1ff76dd5269b00b6c0278bb50588c
-
SHA256
a5d1941cd0dafe9f7ee2034200e2aca8f2e323a5eeb7fb9f3b210906b8e5158f
-
SHA512
b3ace082767cccda5d21ddec192e37fe1ce4d15c50374a140a1700c8c28231aa3b56fe1ee4a011f17d67b40b5ab2a610ae03367574149f143af218956e4bef94
-
SSDEEP
24576:TmPZ/5jLtGHyhdFP8gxBYTICZazH0XHEvJ4BDm:KPZ/ltGakgxYa0XHEG6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" R700,.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" R700,.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" R700,.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R700,.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" R700,.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6DFE29.lnk WD32BEB.EXE -
Executes dropped EXE 1 IoCs
pid Process 2944 WD32BEB.EXE -
Loads dropped DLL 10 IoCs
pid Process 4648 R700,.exe 4648 R700,.exe 4648 R700,.exe 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" R700,.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R700,.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" R700,.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R700,.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\191dd0\WD32BEB.EXE R700,.exe File created C:\Windows\SysWOW64\191dd0\eAPI.fne R700,.exe File created C:\Windows\SysWOW64\191dd0\HtmlView.fne R700,.exe File created C:\Windows\SysWOW64\191dd0\internet.fne R700,.exe File created C:\Windows\SysWOW64\191dd0\WD32BEB.TXT R700,.exe File created C:\Windows\SysWOW64\191dd0\dp1.fne R700,.exe File created C:\Windows\SysWOW64\191dd0\krnln.fnr R700,.exe -
resource yara_rule behavioral2/memory/4648-3-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-12-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-11-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-10-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-24-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-23-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-16-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-27-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-28-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-15-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-29-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-54-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-60-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4648-83-0x00000000021E0000-0x000000000329A000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI R700,.exe File created C:\Windows\e57a103 R700,.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R700,.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WD32BEB.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000003d5a754f100041646d696e003c0009000400efbe3d5a8949425a2b402e00000056e1010000000100000000000000000000000000000075fdb400410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000425a2b40100054656d7000003a0009000400efbe3d5a8949425a2b402e00000075e101000000010000000000000000000000000000004722c900540065006d007000000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000003d5a894912004170704461746100400009000400efbe3d5a8949425a2b402e00000061e10100000001000000000000000000000000000000ccee85004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000003d5a89491100557365727300640009000400efbe874f7748425a2b402e000000c70500000000010000000000000000003a0000000000f63b940055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000003d5ad14b10004c6f63616c003c0009000400efbe3d5a8949425a2b402e00000074e101000000010000000000000000000000000000005a6628004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 4a00310000000000425a2b40100061626300380009000400efbe425a2b40425a2b402e000000693c0200000007000000000000000000000000000000244f2401610062006300000012000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4896 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4648 R700,.exe 4648 R700,.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe Token: SeDebugPrivilege 4648 R700,.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4648 R700,.exe 4648 R700,.exe 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE 4896 explorer.exe 4896 explorer.exe 2944 WD32BEB.EXE 2944 WD32BEB.EXE 2944 WD32BEB.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4648 wrote to memory of 772 4648 R700,.exe 8 PID 4648 wrote to memory of 780 4648 R700,.exe 9 PID 4648 wrote to memory of 316 4648 R700,.exe 13 PID 4648 wrote to memory of 2488 4648 R700,.exe 42 PID 4648 wrote to memory of 2500 4648 R700,.exe 43 PID 4648 wrote to memory of 2692 4648 R700,.exe 47 PID 4648 wrote to memory of 3364 4648 R700,.exe 56 PID 4648 wrote to memory of 3516 4648 R700,.exe 57 PID 4648 wrote to memory of 3724 4648 R700,.exe 58 PID 4648 wrote to memory of 3820 4648 R700,.exe 59 PID 4648 wrote to memory of 3888 4648 R700,.exe 60 PID 4648 wrote to memory of 3980 4648 R700,.exe 61 PID 4648 wrote to memory of 3548 4648 R700,.exe 62 PID 4648 wrote to memory of 2672 4648 R700,.exe 75 PID 4648 wrote to memory of 216 4648 R700,.exe 76 PID 4648 wrote to memory of 5000 4648 R700,.exe 80 PID 4648 wrote to memory of 3408 4648 R700,.exe 81 PID 4648 wrote to memory of 3324 4648 R700,.exe 83 PID 4648 wrote to memory of 856 4648 R700,.exe 84 PID 4648 wrote to memory of 856 4648 R700,.exe 84 PID 4648 wrote to memory of 856 4648 R700,.exe 84 PID 4648 wrote to memory of 2944 4648 R700,.exe 87 PID 4648 wrote to memory of 2944 4648 R700,.exe 87 PID 4648 wrote to memory of 2944 4648 R700,.exe 87 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R700,.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2488
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2500
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2692
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\abc\R700,.exe"C:\Users\Admin\AppData\Local\Temp\abc\R700,.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\abc\3⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\SysWOW64\191dd0\WD32BEB.EXEC:\Windows\system32\\191dd0\WD32BEB.EXE3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3548
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2672
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:216
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5000
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3408
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3324
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4896
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:244
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD593cdb6a29b7dc77a97ea9ac5ff8aab8a
SHA1dbca2b77362683948e0ccdba824c1a7166d3409f
SHA2563f929d34cd96cef878c3e5e0ee185173b1ae4caeed60838e32b63d45c055db80
SHA51226b6d74980b4f3be40efa4cafce485dfa5a8397b16c0e3fcb3ace18887ffcc0c6dd6351bffde8e7de95af2f570baa7081131529ed2b0449982df001bc1065478
-
Filesize
1.1MB
MD584b74113dc0a776ae9ffc2ff0cb79e46
SHA155b710400c1c01281a00b9da6b36cb4a8943d55d
SHA2565c6786cb8c4179fd9b6cd57c7d49a2cb82f4e873f296e23951d42290883b52c7
SHA512c3879146564848cfbcdfcba1913bd9e163a91070c635e5fb1b1ff033f3c09f20fc4f7af971b69343c6ae17307c304135253e8893b44a73fa2da83cfc5b2f321b
-
Filesize
212KB
MD54c9e8f81bf741a61915d0d4fc49d595e
SHA1d033008b3a0e5d3fc8876e0423ee5509ecb3897c
SHA256951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129
SHA512cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7
-
Filesize
48KB
MD5bf9bcf86d8767e8b743af94cb1970f87
SHA13cb1b967016e0a9ed244fc3c002cdd594afdd2d6
SHA2565064bb1a3713c9a72c978d5f3744d9a743d22f700a0cce08523cb861de7e4ce7
SHA512ca42ed7b5324072afce8d676020b9e89041e623d5f0bf192b735e7a1e77df916ddee5cb8507afecb5a68aa6648aa336f4943f3fd1aadf2ae395ad11417c3762f
-
Filesize
328KB
MD57bcb58659e959d65514c45cd01bfc8e4
SHA1c2f41529a536c746ac0cf92c026dea65798f3ee7
SHA256f37248aa68d84818fba2b1ea160d7eec4d3f426eeca4d215c8db8d8389d18388
SHA5120b33bbcb059de95e74e9e115fb09ca73846720041113c9cab10e5dec40024136241d66a92181527e36db714c4c96ee532b7df00ae2c10798d8bea947f6762217