sality | e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	dc.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc.exe

Windows security bypass 2 TTPs 12 IoCs

Disabling Security Tools

Modify Registry

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Executes dropped EXE 4 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exedc.exe

pid process

2020 Fun.exe
1216 SVIQ.EXE
1948 dc.exe
668 dc.exe

pid	process
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
668	dc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/604-56-0x00000000027F0000-0x000000000387E000-memory.dmp	upx
behavioral1/memory/604-57-0x00000000027F0000-0x000000000387E000-memory.dmp	upx
behavioral1/memory/604-62-0x00000000027F0000-0x000000000387E000-memory.dmp	upx
behavioral1/memory/604-123-0x00000000027F0000-0x000000000387E000-memory.dmp	upx
behavioral1/memory/1948-127-0x00000000038E0000-0x000000000496E000-memory.dmp	upx
behavioral1/memory/1948-129-0x00000000038E0000-0x000000000496E000-memory.dmp	upx
behavioral1/memory/1948-133-0x00000000038E0000-0x000000000496E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

dc.exe

pid process

1948 dc.exe

pid	process
1948	dc.exe

Loads dropped DLL 2 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

pid	process
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Windows security modification 2 TTPs 14 IoCs

Disabling Security Tools

Modify Registry

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeSVIQ.EXEFun.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	ioc	process
File opened (read-only)	\??\F:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\R:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\G:	dc.exe
File opened (read-only)	\??\W:	dc.exe
File opened (read-only)	\??\K:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\N:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\L:	dc.exe
File opened (read-only)	\??\P:	dc.exe
File opened (read-only)	\??\H:	dc.exe
File opened (read-only)	\??\K:	dc.exe
File opened (read-only)	\??\H:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\O:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\F:	dc.exe
File opened (read-only)	\??\N:	dc.exe
File opened (read-only)	\??\R:	dc.exe
File opened (read-only)	\??\L:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\I:	dc.exe
File opened (read-only)	\??\J:	dc.exe
File opened (read-only)	\??\Q:	dc.exe
File opened (read-only)	\??\S:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\U:	dc.exe
File opened (read-only)	\??\X:	dc.exe
File opened (read-only)	\??\I:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\J:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\M:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\Q:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\M:	dc.exe
File opened (read-only)	\??\O:	dc.exe
File opened (read-only)	\??\V:	dc.exe
File opened (read-only)	\??\T:	dc.exe
File opened (read-only)	\??\Y:	dc.exe
File opened (read-only)	\??\Z:	dc.exe
File opened (read-only)	\??\G:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\P:	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened (read-only)	\??\E:	dc.exe
File opened (read-only)	\??\S:	dc.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

dc.exe

description ioc process

File opened for modification C:\autorun.inf dc.exe

description	ioc	process
File opened for modification	C:\autorun.inf	dc.exe

Drops file in System32 directory 10 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeSVIQ.EXEdc.exeFun.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinSit.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\SysWOW64\config\Win.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE

Drops file in Program Files directory 1 IoCs

Processes:

dc.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe dc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	dc.exe

Drops file in Windows directory 37 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeSVIQ.EXEdc.exeFun.exe

description	ioc	process
File opened for modification	C:\Windows\SVIQ.EXE	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\system\Fun.exe	SVIQ.EXE
File created	C:\Windows\system\Fun.exe	dc.exe
File opened for modification	C:\Windows\wininit.ini	dc.exe
File opened for modification	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\SYSTEM.INI	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	SVIQ.EXE
File created	C:\Windows\dc.exe	dc.exe
File opened for modification	C:\Windows\Help\Other.exe	SVIQ.EXE
File created	C:\Windows\SVIQ.EXE	dc.exe
File opened for modification	C:\Windows\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\Windows\system\Fun.exe	dc.exe
File created	C:\Windows\Help\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\Help\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\system\Fun.exe	SVIQ.EXE
File opened for modification	C:\Windows\SVIQ.exe	SVIQ.EXE
File opened for modification	C:\Windows\dc.exe	dc.exe
File created	C:\Windows\inf\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	SVIQ.EXE
File opened for modification	C:\Windows\Help\Other.exe	dc.exe
File opened for modification	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	dc.exe
File opened for modification	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\system\Fun.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\SVIQ.EXE	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\inf\Other.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\wininit.ini	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File created	C:\Windows\dc.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\dc.exe	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\dc.exe	SVIQ.EXE
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exedc.exe

pid	process
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
2020	Fun.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
1216	SVIQ.EXE
1216	SVIQ.EXE
1948	dc.exe
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
668	dc.exe
1216	SVIQ.EXE
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
1948	dc.exe
1216	SVIQ.EXE
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
1948	dc.exe
1216	SVIQ.EXE
2020	Fun.exe
1948	dc.exe
1216	SVIQ.EXE
2020	Fun.exe
1948	dc.exe
1216	SVIQ.EXE
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
1948	dc.exe
1948	dc.exe
1216	SVIQ.EXE
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe
1948	dc.exe
1216	SVIQ.EXE
1948	dc.exe
2020	Fun.exe
1216	SVIQ.EXE
1948	dc.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exedc.exe

description	pid	process
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe
Token: SeDebugPrivilege	1948	dc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exedc.exe

pid	process
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
2020	Fun.exe
2020	Fun.exe
1216	SVIQ.EXE
1216	SVIQ.EXE
1948	dc.exe
1948	dc.exe
668	dc.exe
668	dc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exeFun.exeSVIQ.EXEdc.exe

description	pid	process	target process
PID 604 wrote to memory of 1192	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	taskhost.exe
PID 604 wrote to memory of 1292	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Dwm.exe
PID 604 wrote to memory of 1340	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Explorer.EXE
PID 604 wrote to memory of 1192	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	taskhost.exe
PID 604 wrote to memory of 1292	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Dwm.exe
PID 604 wrote to memory of 1340	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Explorer.EXE
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 2020 wrote to memory of 1216	2020	Fun.exe	SVIQ.EXE
PID 2020 wrote to memory of 1216	2020	Fun.exe	SVIQ.EXE
PID 2020 wrote to memory of 1216	2020	Fun.exe	SVIQ.EXE
PID 2020 wrote to memory of 1216	2020	Fun.exe	SVIQ.EXE
PID 604 wrote to memory of 1192	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	taskhost.exe
PID 604 wrote to memory of 1292	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Dwm.exe
PID 604 wrote to memory of 1340	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Explorer.EXE
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 604 wrote to memory of 2020	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Fun.exe
PID 604 wrote to memory of 1216	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	SVIQ.EXE
PID 604 wrote to memory of 1216	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	SVIQ.EXE
PID 1216 wrote to memory of 1948	1216	SVIQ.EXE	dc.exe
PID 1216 wrote to memory of 1948	1216	SVIQ.EXE	dc.exe
PID 1216 wrote to memory of 1948	1216	SVIQ.EXE	dc.exe
PID 1216 wrote to memory of 1948	1216	SVIQ.EXE	dc.exe
PID 604 wrote to memory of 668	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 604 wrote to memory of 668	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 604 wrote to memory of 668	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 604 wrote to memory of 668	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 604 wrote to memory of 1192	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	taskhost.exe
PID 604 wrote to memory of 1292	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Dwm.exe
PID 604 wrote to memory of 1340	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	Explorer.EXE
PID 604 wrote to memory of 1948	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 604 wrote to memory of 1948	604	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe	dc.exe
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE
PID 1948 wrote to memory of 1192	1948	dc.exe	taskhost.exe
PID 1948 wrote to memory of 1292	1948	dc.exe	Dwm.exe
PID 1948 wrote to memory of 1340	1948	dc.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

dc.exee02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe
"C:\Users\Admin\AppData\Local\Temp\e02ec60c765ad19a9b8208683e5405759eadc2f5b0cbae871de3aab2734200f0.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:604

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\dc.exe
C:\Windows\dc.exe
5⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948

C:\Windows\dc.exe
C:\Windows\dc.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1292

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry