Analysis
-
max time kernel
36s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-02-2025 18:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
-
Size
464KB
-
MD5
59b5e5a7547053f923963a56a8b7bdbf
-
SHA1
4c3ce8f1d16639b82b3556c3f3665d83949415d2
-
SHA256
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f
-
SHA512
f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4
-
SSDEEP
6144:5afsiuvAQ+tTm6cyERSiytj71cwE4jKS6vlxQqyRqpYNLA:uCvAQ+q6ctRt636wfjOHm1c
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" msn.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msn.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Deletes itself 1 IoCs
pid Process 2632 msn.exe -
Executes dropped EXE 1 IoCs
pid Process 2632 msn.exe -
Loads dropped DLL 2 IoCs
pid Process 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" msn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apo5 = "C:\\Program Files (x86)\\win\\msn.exe" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: msn.exe File opened (read-only) \??\z: msn.exe File opened (read-only) \??\E: msn.exe File opened (read-only) \??\G: msn.exe File opened (read-only) \??\b: msn.exe File opened (read-only) \??\h: msn.exe File opened (read-only) \??\k: msn.exe File opened (read-only) \??\o: msn.exe File opened (read-only) \??\J: msn.exe File opened (read-only) \??\L: msn.exe File opened (read-only) \??\N: msn.exe File opened (read-only) \??\O: msn.exe File opened (read-only) \??\a: msn.exe File opened (read-only) \??\x: msn.exe File opened (read-only) \??\H: msn.exe File opened (read-only) \??\I: msn.exe File opened (read-only) \??\E: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\K: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\e: msn.exe File opened (read-only) \??\i: msn.exe File opened (read-only) \??\j: msn.exe File opened (read-only) \??\s: msn.exe File opened (read-only) \??\w: msn.exe File opened (read-only) \??\y: msn.exe File opened (read-only) \??\M: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\v: msn.exe File opened (read-only) \??\K: msn.exe File opened (read-only) \??\G: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\J: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\l: msn.exe File opened (read-only) \??\m: msn.exe File opened (read-only) \??\I: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\t: msn.exe File opened (read-only) \??\M: msn.exe File opened (read-only) \??\q: msn.exe File opened (read-only) \??\r: msn.exe File opened (read-only) \??\u: msn.exe File opened (read-only) \??\H: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\L: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\g: msn.exe File opened (read-only) \??\n: msn.exe -
resource yara_rule behavioral1/memory/2788-4-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-8-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-2-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-11-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-10-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-9-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-7-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-6-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-5-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-12-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-13-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-28-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-29-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-30-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-32-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-33-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-34-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-35-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-37-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-39-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-42-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-59-0x0000000002000000-0x000000000308E000-memory.dmp upx behavioral1/memory/2788-64-0x0000000002000000-0x000000000308E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\win\msn.exe 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened for modification C:\Program Files (x86)\win 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File created C:\Program Files (x86)\win\msn.exe 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2632 msn.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2632 msn.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2668 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 2668 taskmgr.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe Token: SeDebugPrivilege 2632 msn.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe 2668 taskmgr.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1120 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 19 PID 2788 wrote to memory of 1172 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 20 PID 2788 wrote to memory of 1220 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 21 PID 2788 wrote to memory of 1200 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 23 PID 2788 wrote to memory of 1120 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 19 PID 2788 wrote to memory of 1172 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 20 PID 2788 wrote to memory of 1220 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 21 PID 2788 wrote to memory of 1200 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 23 PID 2788 wrote to memory of 2632 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 32 PID 2788 wrote to memory of 2632 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 32 PID 2788 wrote to memory of 2632 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 32 PID 2788 wrote to memory of 2632 2788 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 32 PID 2632 wrote to memory of 1120 2632 msn.exe 19 PID 2632 wrote to memory of 1172 2632 msn.exe 20 PID 2632 wrote to memory of 1220 2632 msn.exe 21 PID 2632 wrote to memory of 1200 2632 msn.exe 23 PID 2632 wrote to memory of 2668 2632 msn.exe 31 PID 2632 wrote to memory of 1120 2632 msn.exe 19 PID 2632 wrote to memory of 1172 2632 msn.exe 20 PID 2632 wrote to memory of 1220 2632 msn.exe 21 PID 2632 wrote to memory of 1200 2632 msn.exe 23 PID 2632 wrote to memory of 2668 2632 msn.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe"C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788 -
C:\Program Files (x86)\win\msn.exe"C:\Program Files (x86)\win\msn.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1200
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5d2817e76580ee438e2efb34424580e18
SHA1175aadfe7ed39cbf82370bf23c4b6830574b994e
SHA256f6f09f81fb5d83abcbc5799a1d457e193e67482645dbbba9b337d793abaaabfa
SHA512e173a5b1bdbf071d6cb0ff515752eeaafa47f0322104bff74b3e836cf403c70189ae6d5d67acce90ee32324215531439e1f8fb6026cd8349e723bef094134004
-
Filesize
100KB
MD5011e6f58d38adc9bff68a4aa9ee96cb2
SHA19daaed03f775a542cc42212a17e6b276be05f50a
SHA2569439073068f412857c215334b12c2fb31663cc91946049078f13be24ec45bf04
SHA512e25d021472d0b1aa44711992d8adb3e82cf8107618f830e924bfa9851ca55f28ccf1b0ad0123bb0b110add1dc24e9a284067aa613402581e7198be84d3aa2b7c
-
Filesize
464KB
MD559b5e5a7547053f923963a56a8b7bdbf
SHA14c3ce8f1d16639b82b3556c3f3665d83949415d2
SHA25600002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f
SHA512f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4