sality | 7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a

General

Target

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Size

2.4MB
MD5

ebdb7285b036489a12d3cc544918452e
SHA1

d6288d127bcecd24409258e38bbb85e0e72b8cb4
SHA256

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a
SHA512

eed66a8d7f51b8699993aa7637b20f8fa3f8211c5061666380cbbed1261c19fe148770520e9f867ff1d01a18d160ce9ad1feef9f9c22b85e3c29d394b12e5613

Score

10^/10

sality backdoor evasion spyware stealer trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2340-130-0x0000000002670000-0x000000000372A000-memory.dmp	upx
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	upx
behavioral2/memory/2340-132-0x0000000002670000-0x000000000372A000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

pid process

2340 7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
File opened (read-only)	\??\Q:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\R:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\S:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\K:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\O:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\U:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\Z:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\M:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\G:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\J:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\L:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\P:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\T:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\V:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\X:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\F:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\H:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\I:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\N:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\W:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\Y:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened (read-only)	\??\E:	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 13 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File created	C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File created	C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Drops file in Windows directory 2 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
File created	C:\Windows\e56962a	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
File opened for modification	C:\Windows\SYSTEM.INI	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Modifies registry class 64 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

pid	process
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	pid	process
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
Token: SeDebugPrivilege	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	pid	process	target process
PID 2340 wrote to memory of 772	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 768	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 1016	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	dwm.exe
PID 2340 wrote to memory of 2268	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	sihost.exe
PID 2340 wrote to memory of 2300	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 2440	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	taskhostw.exe
PID 2340 wrote to memory of 3180	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 3380	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	DllHost.exe
PID 2340 wrote to memory of 3468	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	StartMenuExperienceHost.exe
PID 2340 wrote to memory of 3544	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 3624	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	SearchApp.exe
PID 2340 wrote to memory of 3848	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 4460	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 5008	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 772	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 768	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 1016	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	dwm.exe
PID 2340 wrote to memory of 2268	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	sihost.exe
PID 2340 wrote to memory of 2300	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 2440	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	taskhostw.exe
PID 2340 wrote to memory of 3180	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 3380	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	DllHost.exe
PID 2340 wrote to memory of 3468	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	StartMenuExperienceHost.exe
PID 2340 wrote to memory of 3544	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 3624	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	SearchApp.exe
PID 2340 wrote to memory of 3848	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 4460	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 772	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 768	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 1016	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	dwm.exe
PID 2340 wrote to memory of 2268	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	sihost.exe
PID 2340 wrote to memory of 2300	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 2440	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	taskhostw.exe
PID 2340 wrote to memory of 3180	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 3380	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	DllHost.exe
PID 2340 wrote to memory of 3468	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	StartMenuExperienceHost.exe
PID 2340 wrote to memory of 3544	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 3624	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	SearchApp.exe
PID 2340 wrote to memory of 3848	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 4460	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 772	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 768	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 1016	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	dwm.exe
PID 2340 wrote to memory of 2268	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	sihost.exe
PID 2340 wrote to memory of 2300	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 2440	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	taskhostw.exe
PID 2340 wrote to memory of 3180	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 3380	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	DllHost.exe
PID 2340 wrote to memory of 3468	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	StartMenuExperienceHost.exe
PID 2340 wrote to memory of 3544	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 3624	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	SearchApp.exe
PID 2340 wrote to memory of 3848	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 4460	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 772	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 768	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	fontdrvhost.exe
PID 2340 wrote to memory of 1016	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	dwm.exe
PID 2340 wrote to memory of 2268	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	sihost.exe
PID 2340 wrote to memory of 2300	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 2440	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	taskhostw.exe
PID 2340 wrote to memory of 3180	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	svchost.exe
PID 2340 wrote to memory of 3380	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	DllHost.exe
PID 2340 wrote to memory of 3468	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	StartMenuExperienceHost.exe
PID 2340 wrote to memory of 3544	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	RuntimeBroker.exe
PID 2340 wrote to memory of 3624	2340	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe	SearchApp.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2300

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe
"C:\Users\Admin\AppData\Local\Temp\7da56f27684b28d655cff2fa77415685769ba39107bee982812f45a22d32bf7a.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

6

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx
Filesize
1.5MB

MD5
9b686a7d92dbdd59d937b0529243cf7d

SHA1
bcbe1ef469b46115874fa411720aeaa0ddba4e5a

SHA256
e0c4b7ccd4eb130e3ce0f7076b73ed4c8021f495b9d5d25008615e36622d9d10

SHA512
d0ac539f2792cd13c8460c6993241d8bc429bfe8f45fd5432c74320165750455b823301bca2d264da83ff866bf767f382c8b7cbab03f8fe1591efbe0f55c3d67

Download Submit
memory/2340-130-0x0000000002670000-0x000000000372A000-memory.dmp

Filesize
16.7MB

Download
memory/2340-132-0x0000000002670000-0x000000000372A000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads