Analysis
-
max time kernel
33s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 18:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
-
Size
464KB
-
MD5
59b5e5a7547053f923963a56a8b7bdbf
-
SHA1
4c3ce8f1d16639b82b3556c3f3665d83949415d2
-
SHA256
00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f
-
SHA512
f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4
-
SSDEEP
6144:5afsiuvAQ+tTm6cyERSiytj71cwE4jKS6vlxQqyRqpYNLA:uCvAQ+q6ctRt636wfjOHm1c
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msn.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" msn.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" msn.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Deletes itself 1 IoCs
pid Process 4076 msn.exe -
Executes dropped EXE 1 IoCs
pid Process 4076 msn.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" msn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" msn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" msn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apo5 = "C:\\Program Files (x86)\\win\\msn.exe" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe -
Enumerates connected drives 3 TTPs 35 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: msn.exe File opened (read-only) \??\m: msn.exe File opened (read-only) \??\w: msn.exe File opened (read-only) \??\x: msn.exe File opened (read-only) \??\E: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\J: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\e: msn.exe File opened (read-only) \??\G: msn.exe File opened (read-only) \??\H: msn.exe File opened (read-only) \??\y: msn.exe File opened (read-only) \??\E: msn.exe File opened (read-only) \??\I: msn.exe File opened (read-only) \??\G: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\K: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\g: msn.exe File opened (read-only) \??\n: msn.exe File opened (read-only) \??\s: msn.exe File opened (read-only) \??\h: msn.exe File opened (read-only) \??\j: msn.exe File opened (read-only) \??\k: msn.exe File opened (read-only) \??\o: msn.exe File opened (read-only) \??\u: msn.exe File opened (read-only) \??\I: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\a: msn.exe File opened (read-only) \??\i: msn.exe File opened (read-only) \??\r: msn.exe File opened (read-only) \??\t: msn.exe File opened (read-only) \??\H: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\L: 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened (read-only) \??\J: msn.exe File opened (read-only) \??\l: msn.exe File opened (read-only) \??\p: msn.exe File opened (read-only) \??\q: msn.exe File opened (read-only) \??\v: msn.exe File opened (read-only) \??\z: msn.exe -
resource yara_rule behavioral2/memory/3844-1-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-10-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-11-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-12-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-9-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-7-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-3-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-8-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-4-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-15-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-16-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-17-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-18-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-19-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-21-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-22-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-23-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-24-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-27-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-28-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-31-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/3844-33-0x0000000002AA0000-0x0000000003B2E000-memory.dmp upx behavioral2/memory/4076-63-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-70-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-73-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-71-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-74-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-69-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-68-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-72-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-67-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-65-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-80-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-79-0x0000000002780000-0x000000000380E000-memory.dmp upx behavioral2/memory/4076-89-0x0000000002780000-0x000000000380E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\win\msn.exe 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File opened for modification C:\Program Files (x86)\win 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe File created C:\Program Files (x86)\win\msn.exe 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 4076 msn.exe 4076 msn.exe 4076 msn.exe 4076 msn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Token: SeDebugPrivilege 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 3844 wrote to memory of 772 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 8 PID 3844 wrote to memory of 780 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 9 PID 3844 wrote to memory of 332 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 13 PID 3844 wrote to memory of 3040 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 51 PID 3844 wrote to memory of 2620 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 52 PID 3844 wrote to memory of 2492 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 53 PID 3844 wrote to memory of 3428 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 56 PID 3844 wrote to memory of 3556 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 57 PID 3844 wrote to memory of 3736 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 58 PID 3844 wrote to memory of 3824 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 59 PID 3844 wrote to memory of 3888 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 60 PID 3844 wrote to memory of 3972 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 61 PID 3844 wrote to memory of 3680 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 62 PID 3844 wrote to memory of 4632 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 74 PID 3844 wrote to memory of 5012 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 76 PID 3844 wrote to memory of 772 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 8 PID 3844 wrote to memory of 780 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 9 PID 3844 wrote to memory of 332 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 13 PID 3844 wrote to memory of 3040 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 51 PID 3844 wrote to memory of 2620 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 52 PID 3844 wrote to memory of 2492 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 53 PID 3844 wrote to memory of 3428 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 56 PID 3844 wrote to memory of 3556 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 57 PID 3844 wrote to memory of 3736 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 58 PID 3844 wrote to memory of 3824 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 59 PID 3844 wrote to memory of 3888 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 60 PID 3844 wrote to memory of 3972 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 61 PID 3844 wrote to memory of 3680 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 62 PID 3844 wrote to memory of 4632 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 74 PID 3844 wrote to memory of 5012 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 76 PID 3844 wrote to memory of 4076 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 82 PID 3844 wrote to memory of 4076 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 82 PID 3844 wrote to memory of 4076 3844 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe 82 PID 4076 wrote to memory of 772 4076 msn.exe 8 PID 4076 wrote to memory of 780 4076 msn.exe 9 PID 4076 wrote to memory of 332 4076 msn.exe 13 PID 4076 wrote to memory of 3040 4076 msn.exe 51 PID 4076 wrote to memory of 2620 4076 msn.exe 52 PID 4076 wrote to memory of 2492 4076 msn.exe 53 PID 4076 wrote to memory of 3428 4076 msn.exe 56 PID 4076 wrote to memory of 3556 4076 msn.exe 57 PID 4076 wrote to memory of 3736 4076 msn.exe 58 PID 4076 wrote to memory of 3824 4076 msn.exe 59 PID 4076 wrote to memory of 3888 4076 msn.exe 60 PID 4076 wrote to memory of 3972 4076 msn.exe 61 PID 4076 wrote to memory of 3680 4076 msn.exe 62 PID 4076 wrote to memory of 4632 4076 msn.exe 74 PID 4076 wrote to memory of 5012 4076 msn.exe 76 PID 4076 wrote to memory of 772 4076 msn.exe 8 PID 4076 wrote to memory of 780 4076 msn.exe 9 PID 4076 wrote to memory of 332 4076 msn.exe 13 PID 4076 wrote to memory of 3040 4076 msn.exe 51 PID 4076 wrote to memory of 2620 4076 msn.exe 52 PID 4076 wrote to memory of 2492 4076 msn.exe 53 PID 4076 wrote to memory of 3428 4076 msn.exe 56 PID 4076 wrote to memory of 3556 4076 msn.exe 57 PID 4076 wrote to memory of 3736 4076 msn.exe 58 PID 4076 wrote to memory of 3824 4076 msn.exe 59 PID 4076 wrote to memory of 3888 4076 msn.exe 60 PID 4076 wrote to memory of 3972 4076 msn.exe 61 PID 4076 wrote to memory of 3680 4076 msn.exe 62 PID 4076 wrote to memory of 4632 4076 msn.exe 74 PID 4076 wrote to memory of 5012 4076 msn.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2620
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2492
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe"C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3844 -
C:\Program Files (x86)\win\msn.exe"C:\Program Files (x86)\win\msn.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4076
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3680
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4632
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5012
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
464KB
MD559b5e5a7547053f923963a56a8b7bdbf
SHA14c3ce8f1d16639b82b3556c3f3665d83949415d2
SHA25600002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f
SHA512f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4
-
Filesize
10.6MB
MD567e6e37998718f746ba52eaf94c4c0a7
SHA183e7abe8c919c75660b4f7e327dae54a92064bb1
SHA2561dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000
SHA51221521aac07b47a3386dd789a5ccdbe0175799dfbfe5758670a35a6b642b89578ecfaa4e0086dfe3b734bce1af317671339aa2f5650705ac317b182c01c193f3c
-
Filesize
257B
MD548ce750a84788a9f0088f71072643df7
SHA1fbca47ff7ab9461a17ce8efcf9eeb8b0570d72ac
SHA25636e6c77a8ac94e8d0983691011eeb994fa0249c7a2db9f5f30426ba12d3325dd
SHA51249cf86570b631f4b4ac09771040ee2c5a82e72f3bd12579e68259dbbc025724d2dab1db1bf5b0b5bfefee989137ae56aebf0c883c5042035c3aba253827daa23
-
Filesize
100KB
MD58015dd895406093ef193698eb0bf38d5
SHA1a57e7d60bed1af9db4542622dd61c80682d7b680
SHA2562227594e379018dccedcabb0b1aeb090c861b0df8a3ca442c373370e645809e5
SHA512720b37eb082eba944a9c2c12b079bbed107febec0bddd876c1a455894f2f84c076dbf9fab85a565fcb02a512428717f27f12efeadcbf778fde3d8686e8f72f8f