sality | 06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928

Modify Existing Service

T1031

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sdWuUB.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\sdWuUB.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\sdWuUB.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\sdWuUB.exe	aspack_v212_v242
behavioral1/memory/1680-91-0x0000000000B10000-0x0000000000B19000-memory.dmp	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

sdWuUB.exe

pid process

1160 sdWuUB.exe

pid	process
1160	sdWuUB.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1680-55-0x00000000023A0000-0x000000000342E000-memory.dmp	upx
behavioral1/memory/1680-63-0x00000000023A0000-0x000000000342E000-memory.dmp	upx
behavioral1/memory/1680-73-0x00000000023A0000-0x000000000342E000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Loads dropped DLL 2 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

pid	process
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
File opened (read-only)	\??\V:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\J:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\L:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\P:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\T:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\W:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\Y:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\Z:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\F:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\I:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\Q:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\U:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\G:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\O:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\R:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\S:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\N:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\X:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\E:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\H:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\K:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened (read-only)	\??\M:	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description ioc process

File opened for modification C:\autorun.inf 06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

pid process

1680 06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
File opened for modification	C:\autorun.inf	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Drops file in Program Files directory 64 IoCs

Processes:

sdWuUB.exe06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\wsimport.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\ktab.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jabswitch.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jps.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\tnameserv.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\servertool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jcmd.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\servertool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\jabswitch.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\java.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\idlj.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jmc.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\javac.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\servertool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\java.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\keytool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jarsigner.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\chrome_proxy.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\jdb.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\java-rmi.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\klist.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JRE7\BIN\policytool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\rmic.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\JRE\BIN\policytool.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	sdWuUB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	sdWuUB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	sdWuUB.exe
File opened for modification	C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\chrome.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\extcheck.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\native2ascii.exe	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	sdWuUB.exe

Drops file in Windows directory 1 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

pid	process
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	pid	process
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Token: SeDebugPrivilege	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

pid	process
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exesdWuUB.exe

description	pid	process	target process
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1160	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	sdWuUB.exe
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1148	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1672	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 628	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1160 wrote to memory of 1596	1160	sdWuUB.exe	cmd.exe
PID 1160 wrote to memory of 1596	1160	sdWuUB.exe	cmd.exe
PID 1160 wrote to memory of 1596	1160	sdWuUB.exe	cmd.exe
PID 1160 wrote to memory of 1596	1160	sdWuUB.exe	cmd.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 2044	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 628	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1672	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1596	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE
PID 1680 wrote to memory of 1180	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 968	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	DllHost.exe
PID 1680 wrote to memory of 1132	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	taskhost.exe
PID 1680 wrote to memory of 1204	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Dwm.exe
PID 1680 wrote to memory of 1252	1680	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
"C:\Users\Admin\AppData\Local\Temp\06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680

C:\Users\Admin\AppData\Local\Temp\sdWuUB.exe
C:\Users\Admin\AppData\Local\Temp\sdWuUB.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\48e40a79.bat" "
4⤵
PID:1596

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1180

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery