phorphiex | 14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964

Analysis

max time kernel
26s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Size

381KB
MD5

d75424c803eb7d843e2569a972e2ecc1
SHA1

09978cd6a3c99d8e1dacda30a2b53602d4e73832
SHA256

14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964
SHA512

d3e8f610f079ce6af10aa17f81e87b871ccbad6492addca00bee2185ff937f2f2f99baead4fb8e26e2b167d5c28c390e5f4cead2b95f27f0badc392edc40114b
SSDEEP

6144:NYMBlUgPcOFgqw+0Rs7cqyEcuFIqjHiegfN5n:NYMlUVOFgBEcqjHQNV

Score

10^/10

phorphiex sality backdoor defense_evasion discovery loader persistence trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe

Modifies firewall policy service 3 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winsvcs.exe

Phorphiex family
phorphiex
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe

Windows security bypass 2 TTPs 13 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsvcs.exe

Deletes itself 1 IoCs

pid	Process
1660	winsvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	winsvcs.exe

Windows security modification 2 TTPs 16 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\6008004470706007\\winsvcs.exe"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\6008004470706007\\winsvcs.exe"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	winsvcs.exe
File opened (read-only)	\??\E:	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened (read-only)	\??\G:	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened (read-only)	\??\H:	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened (read-only)	\??\I:	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened (read-only)	\??\J:	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened (read-only)	\??\E:	winsvcs.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2660-4-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-3-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-6-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-9-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-12-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-5-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-13-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-1-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-14-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-15-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-16-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-17-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-18-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-19-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-21-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-22-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-25-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-29-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-36-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2660-39-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1660-65-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-72-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-71-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-75-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-70-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-69-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-68-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-74-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-73-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-80-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-79-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-81-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-82-0x0000000003170000-0x00000000041FE000-memory.dmp	upx
behavioral2/memory/1660-83-0x0000000003170000-0x00000000041FE000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File created	C:\Windows\6008004470706007\winsvcs.exe	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened for modification	C:\Windows\6008004470706007\winsvcs.exe	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
File opened for modification	C:\Windows\6008004470706007	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	2660	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
1660	winsvcs.exe
1660	winsvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Token: SeDebugPrivilege	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 784	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	8
PID 2660 wrote to memory of 792	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	9
PID 2660 wrote to memory of 336	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	13
PID 2660 wrote to memory of 1060	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	50
PID 2660 wrote to memory of 752	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	51
PID 2660 wrote to memory of 3132	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	52
PID 2660 wrote to memory of 3444	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	56
PID 2660 wrote to memory of 3552	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	57
PID 2660 wrote to memory of 3752	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	58
PID 2660 wrote to memory of 3848	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	59
PID 2660 wrote to memory of 3916	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	60
PID 2660 wrote to memory of 4004	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	61
PID 2660 wrote to memory of 3596	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	62
PID 2660 wrote to memory of 3660	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	74
PID 2660 wrote to memory of 5076	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	76
PID 2660 wrote to memory of 2944	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	85
PID 2660 wrote to memory of 1388	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	86
PID 2660 wrote to memory of 1660	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	99
PID 2660 wrote to memory of 1660	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	99
PID 2660 wrote to memory of 1660	2660	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe	99
PID 1660 wrote to memory of 784	1660	winsvcs.exe	8
PID 1660 wrote to memory of 792	1660	winsvcs.exe	9
PID 1660 wrote to memory of 336	1660	winsvcs.exe	13
PID 1660 wrote to memory of 1060	1660	winsvcs.exe	50
PID 1660 wrote to memory of 752	1660	winsvcs.exe	51
PID 1660 wrote to memory of 3132	1660	winsvcs.exe	52
PID 1660 wrote to memory of 3444	1660	winsvcs.exe	56
PID 1660 wrote to memory of 3552	1660	winsvcs.exe	57
PID 1660 wrote to memory of 3752	1660	winsvcs.exe	58
PID 1660 wrote to memory of 3848	1660	winsvcs.exe	59
PID 1660 wrote to memory of 3916	1660	winsvcs.exe	60
PID 1660 wrote to memory of 4004	1660	winsvcs.exe	61
PID 1660 wrote to memory of 3596	1660	winsvcs.exe	62
PID 1660 wrote to memory of 3660	1660	winsvcs.exe	74
PID 1660 wrote to memory of 5076	1660	winsvcs.exe	76
PID 1660 wrote to memory of 1388	1660	winsvcs.exe	86
PID 1660 wrote to memory of 4756	1660	winsvcs.exe	89
PID 1660 wrote to memory of 4724	1660	winsvcs.exe	91

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winsvcs.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:752

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe
  "C:\Users\Admin\AppData\Local\Temp\14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2660
- - C:\Windows\6008004470706007\winsvcs.exe
    C:\Windows\6008004470706007\winsvcs.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Deletes itself
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1104
    3⤵
    - Program crash
    PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3596

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5076

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2944

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1388

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2660 -ip 2660
1⤵
PID:2220

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3128

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
10.6MB

MD5
67e6e37998718f746ba52eaf94c4c0a7

SHA1
83e7abe8c919c75660b4f7e327dae54a92064bb1

SHA256
1dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000

SHA512
21521aac07b47a3386dd789a5ccdbe0175799dfbfe5758670a35a6b642b89578ecfaa4e0086dfe3b734bce1af317671339aa2f5650705ac317b182c01c193f3c

Download Submit
C:\Windows\6008004470706007\winsvcs.exe

Filesize
381KB

MD5
d75424c803eb7d843e2569a972e2ecc1

SHA1
09978cd6a3c99d8e1dacda30a2b53602d4e73832

SHA256
14831fbef9a0f594287140b279c209e953c5af0f09df933552d8205bcd8a6964

SHA512
d3e8f610f079ce6af10aa17f81e87b871ccbad6492addca00bee2185ff937f2f2f99baead4fb8e26e2b167d5c28c390e5f4cead2b95f27f0badc392edc40114b

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
91ef1d702ed321e6f48f32765ebeeaf9

SHA1
8e26c88a21ec0e8dbfb638c8b1158254226c9652

SHA256
904d03d46989ec3ac5e1d79f6402ddf63136d8cb652f2cfa5a5f512954fdc738

SHA512
bbb36b4f96d069657c1ea87f30babb3585f740f811e87cabc82b8b1c3ceba70da0b07ae0d17f32b972c2bc5f5512ecc3804375d65637bc83098d184fe7fde3f4

Download Submit
C:\cgcsw.exe

Filesize
100KB

MD5
e979f8c243cd58acbe06b765550a38aa

SHA1
12c5774911333a5dccf58a593be5b400b97f270e

SHA256
4b5944e830f19c57a28f6672179d71fa2fb1ac9297d78a58d4e698df63780625

SHA512
2e0d4ac21926cf29f87d869c44b1f587dbcc308a9b6b9fbc06f93060353e92766efd7433fa833b27ae487e7f25384932f3ec46828a37a0b895b8aad7ffef4b64

Download Submit
memory/1660-74-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-70-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-79-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-80-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-82-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-73-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-83-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-68-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-69-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-81-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-75-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-71-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-72-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-78-0x0000000004C10000-0x0000000004C12000-memory.dmp

Filesize
8KB

Download
memory/1660-77-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1660-65-0x0000000003170000-0x00000000041FE000-memory.dmp

Filesize
16.6MB

Download
memory/1660-66-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1660-60-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1660-61-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2660-14-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-16-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-34-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2660-25-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-36-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-39-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-56-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2660-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2660-26-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2660-24-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/2660-22-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-21-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-19-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-18-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-17-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-29-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-15-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2660-1-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-7-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2660-13-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-5-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-12-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-9-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-11-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2660-6-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-10-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2660-8-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2660-3-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download
memory/2660-4-0x0000000002290000-0x000000000331E000-memory.dmp

Filesize
16.6MB

Download