sality | 364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Synaptics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Synaptics.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3480	._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
2660	Synaptics.exe
4408	._cache_Synaptics.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Synaptics.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	Synaptics.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2872-1-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-3-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-8-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-15-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-6-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-17-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-5-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-22-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-23-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/files/0x000e000000023bbe-26.dat	upx
behavioral2/memory/2872-4-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-80-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/3480-148-0x0000000000400000-0x0000000001A73000-memory.dmp	upx
behavioral2/memory/3480-172-0x0000000000400000-0x0000000001A73000-memory.dmp	upx
behavioral2/memory/2872-155-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/2872-92-0x00000000026A0000-0x000000000375A000-memory.dmp	upx
behavioral2/memory/4408-231-0x0000000000400000-0x0000000001A73000-memory.dmp	upx
behavioral2/memory/4408-238-0x0000000000400000-0x0000000001A73000-memory.dmp	upx
behavioral2/memory/2660-293-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-296-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-295-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-294-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-301-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-300-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-298-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-297-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-291-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-299-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-312-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-311-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-313-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-314-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-315-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-317-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-318-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-319-0x00000000061A0000-0x000000000725A000-memory.dmp	upx
behavioral2/memory/2660-321-0x00000000061A0000-0x000000000725A000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\e5782cc	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
File opened for modification	C:\Windows\SYSTEM.INI	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
File created	C:\Windows\e57b100	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4028	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
2660	Synaptics.exe
2660	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Token: SeDebugPrivilege	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 780	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	8
PID 2872 wrote to memory of 784	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	9
PID 2872 wrote to memory of 380	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	13
PID 2872 wrote to memory of 2648	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	44
PID 2872 wrote to memory of 2668	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	45
PID 2872 wrote to memory of 2892	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	52
PID 2872 wrote to memory of 3524	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	56
PID 2872 wrote to memory of 3648	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	57
PID 2872 wrote to memory of 3844	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	58
PID 2872 wrote to memory of 3956	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	59
PID 2872 wrote to memory of 4016	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	60
PID 2872 wrote to memory of 872	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	61
PID 2872 wrote to memory of 4184	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	62
PID 2872 wrote to memory of 3104	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	75
PID 2872 wrote to memory of 1580	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	76
PID 2872 wrote to memory of 5116	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	83
PID 2872 wrote to memory of 4608	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	84
PID 2872 wrote to memory of 3480	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	89
PID 2872 wrote to memory of 3480	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	89
PID 2872 wrote to memory of 3480	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	89
PID 2872 wrote to memory of 2660	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	91
PID 2872 wrote to memory of 2660	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	91
PID 2872 wrote to memory of 2660	2872	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe	91
PID 2660 wrote to memory of 4408	2660	Synaptics.exe	92
PID 2660 wrote to memory of 4408	2660	Synaptics.exe	92
PID 2660 wrote to memory of 4408	2660	Synaptics.exe	92
PID 2660 wrote to memory of 780	2660	Synaptics.exe	8
PID 2660 wrote to memory of 784	2660	Synaptics.exe	9
PID 2660 wrote to memory of 380	2660	Synaptics.exe	13
PID 2660 wrote to memory of 2648	2660	Synaptics.exe	44
PID 2660 wrote to memory of 2668	2660	Synaptics.exe	45
PID 2660 wrote to memory of 2892	2660	Synaptics.exe	52
PID 2660 wrote to memory of 3524	2660	Synaptics.exe	56
PID 2660 wrote to memory of 3648	2660	Synaptics.exe	57
PID 2660 wrote to memory of 3844	2660	Synaptics.exe	58
PID 2660 wrote to memory of 3956	2660	Synaptics.exe	59
PID 2660 wrote to memory of 4016	2660	Synaptics.exe	60
PID 2660 wrote to memory of 872	2660	Synaptics.exe	61
PID 2660 wrote to memory of 4184	2660	Synaptics.exe	62
PID 2660 wrote to memory of 3104	2660	Synaptics.exe	75
PID 2660 wrote to memory of 1580	2660	Synaptics.exe	76
PID 2660 wrote to memory of 5116	2660	Synaptics.exe	83
PID 2660 wrote to memory of 3120	2660	Synaptics.exe	86
PID 2660 wrote to memory of 3624	2660	Synaptics.exe	88
PID 2660 wrote to memory of 4028	2660	Synaptics.exe	93

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Synaptics.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2892

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
  "C:\Users\Admin\AppData\Local\Temp\364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3480
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4184

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1580

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:5116

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3624

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery