Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2025 08:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abc/R700,.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
abc/R700,.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral3
Sample
abc/abc3;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral4
Sample
abc/abc3;.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral5
Sample
abc/abc7;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral6
Sample
abc/abc7;.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral7
Sample
abc/new;.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
abc/abc3;.exe
-
Size
1.2MB
-
MD5
7683790ae33576643b69c12d640fd5fc
-
SHA1
adbd241d4dc1ff76dd5269b00b6c0278bb50588c
-
SHA256
a5d1941cd0dafe9f7ee2034200e2aca8f2e323a5eeb7fb9f3b210906b8e5158f
-
SHA512
b3ace082767cccda5d21ddec192e37fe1ce4d15c50374a140a1700c8c28231aa3b56fe1ee4a011f17d67b40b5ab2a610ae03367574149f143af218956e4bef94
-
SSDEEP
24576:TmPZ/5jLtGHyhdFP8gxBYTICZazH0XHEvJ4BDm:KPZ/ltGakgxYa0XHEG6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" abc3;.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" abc3;.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" abc3;.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" abc3;.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abc3;.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229ABC.lnk WD32BEB.EXE -
Executes dropped EXE 1 IoCs
pid Process 4308 WD32BEB.EXE -
Loads dropped DLL 10 IoCs
pid Process 1904 abc3;.exe 1904 abc3;.exe 1904 abc3;.exe 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" abc3;.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" abc3;.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" abc3;.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" abc3;.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\191dd0\WD32BEB.TXT abc3;.exe File created C:\Windows\SysWOW64\191dd0\dp1.fne abc3;.exe File created C:\Windows\SysWOW64\191dd0\krnln.fnr abc3;.exe File created C:\Windows\SysWOW64\191dd0\WD32BEB.EXE abc3;.exe File created C:\Windows\SysWOW64\191dd0\eAPI.fne abc3;.exe File created C:\Windows\SysWOW64\191dd0\HtmlView.fne abc3;.exe File created C:\Windows\SysWOW64\191dd0\internet.fne abc3;.exe -
resource yara_rule behavioral4/memory/1904-1-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-5-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-6-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-17-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-15-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-23-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-26-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-27-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-28-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-29-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-78-0x0000000002310000-0x00000000033CA000-memory.dmp upx behavioral4/memory/1904-12-0x0000000002310000-0x00000000033CA000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57f424 abc3;.exe File opened for modification C:\Windows\SYSTEM.INI abc3;.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abc3;.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WD32BEB.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000003d5a894912004170704461746100400009000400efbe3d5a8949425a2b402e00000061e10100000001000000000000000000000000000000ccee85004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000003d5ad14b10004c6f63616c003c0009000400efbe3d5a8949425a2b402e00000074e101000000010000000000000000000000000000005a6628004c006f00630061006c00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000003d5a89491100557365727300640009000400efbe874f7748425a2b402e000000c70500000000010000000000000000003a0000000000f63b940055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000425a2b40100054656d7000003a0009000400efbe3d5a8949425a2b402e00000075e10100000001000000000000000000000000000000686ec400540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 4a00310000000000425a2b40100061626300380009000400efbe425a2b40425a2b402e0000008e3c0200000008000000000000000000000000000000af5f2601610062006300000012000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000003d5a1a52100041646d696e003c0009000400efbe3d5a8949425a2b402e00000056e10100000001000000000000000000000000000000c87b1c01410064006d0069006e00000014000000 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1160 explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1904 abc3;.exe 1904 abc3;.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe Token: SeDebugPrivilege 1904 abc3;.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1904 abc3;.exe 1904 abc3;.exe 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 4308 WD32BEB.EXE 1160 explorer.exe 1160 explorer.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1904 wrote to memory of 792 1904 abc3;.exe 9 PID 1904 wrote to memory of 796 1904 abc3;.exe 10 PID 1904 wrote to memory of 316 1904 abc3;.exe 13 PID 1904 wrote to memory of 2764 1904 abc3;.exe 49 PID 1904 wrote to memory of 2820 1904 abc3;.exe 50 PID 1904 wrote to memory of 3060 1904 abc3;.exe 52 PID 1904 wrote to memory of 3512 1904 abc3;.exe 56 PID 1904 wrote to memory of 3660 1904 abc3;.exe 57 PID 1904 wrote to memory of 3844 1904 abc3;.exe 58 PID 1904 wrote to memory of 3932 1904 abc3;.exe 59 PID 1904 wrote to memory of 3996 1904 abc3;.exe 60 PID 1904 wrote to memory of 4080 1904 abc3;.exe 61 PID 1904 wrote to memory of 4192 1904 abc3;.exe 62 PID 1904 wrote to memory of 3124 1904 abc3;.exe 75 PID 1904 wrote to memory of 1192 1904 abc3;.exe 76 PID 1904 wrote to memory of 3568 1904 abc3;.exe 82 PID 1904 wrote to memory of 1368 1904 abc3;.exe 83 PID 1904 wrote to memory of 1492 1904 abc3;.exe 86 PID 1904 wrote to memory of 1492 1904 abc3;.exe 86 PID 1904 wrote to memory of 1492 1904 abc3;.exe 86 PID 1904 wrote to memory of 4308 1904 abc3;.exe 88 PID 1904 wrote to memory of 4308 1904 abc3;.exe 88 PID 1904 wrote to memory of 4308 1904 abc3;.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" abc3;.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2820
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\abc\abc3;.exe"C:\Users\Admin\AppData\Local\Temp\abc\abc3;.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\abc\3⤵
- System Location Discovery: System Language Discovery
PID:1492
-
-
C:\Windows\SysWOW64\191dd0\WD32BEB.EXEC:\Windows\system32\\191dd0\WD32BEB.EXE3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4308
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1192
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3568
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1368
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1160
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD593cdb6a29b7dc77a97ea9ac5ff8aab8a
SHA1dbca2b77362683948e0ccdba824c1a7166d3409f
SHA2563f929d34cd96cef878c3e5e0ee185173b1ae4caeed60838e32b63d45c055db80
SHA51226b6d74980b4f3be40efa4cafce485dfa5a8397b16c0e3fcb3ace18887ffcc0c6dd6351bffde8e7de95af2f570baa7081131529ed2b0449982df001bc1065478
-
Filesize
1.1MB
MD584b74113dc0a776ae9ffc2ff0cb79e46
SHA155b710400c1c01281a00b9da6b36cb4a8943d55d
SHA2565c6786cb8c4179fd9b6cd57c7d49a2cb82f4e873f296e23951d42290883b52c7
SHA512c3879146564848cfbcdfcba1913bd9e163a91070c635e5fb1b1ff033f3c09f20fc4f7af971b69343c6ae17307c304135253e8893b44a73fa2da83cfc5b2f321b
-
Filesize
212KB
MD54c9e8f81bf741a61915d0d4fc49d595e
SHA1d033008b3a0e5d3fc8876e0423ee5509ecb3897c
SHA256951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129
SHA512cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7
-
Filesize
48KB
MD5bf9bcf86d8767e8b743af94cb1970f87
SHA13cb1b967016e0a9ed244fc3c002cdd594afdd2d6
SHA2565064bb1a3713c9a72c978d5f3744d9a743d22f700a0cce08523cb861de7e4ce7
SHA512ca42ed7b5324072afce8d676020b9e89041e623d5f0bf192b735e7a1e77df916ddee5cb8507afecb5a68aa6648aa336f4943f3fd1aadf2ae395ad11417c3762f
-
Filesize
328KB
MD57bcb58659e959d65514c45cd01bfc8e4
SHA1c2f41529a536c746ac0cf92c026dea65798f3ee7
SHA256f37248aa68d84818fba2b1ea160d7eec4d3f426eeca4d215c8db8d8389d18388
SHA5120b33bbcb059de95e74e9e115fb09ca73846720041113c9cab10e5dec40024136241d66a92181527e36db714c4c96ee532b7df00ae2c10798d8bea947f6762217