chinese_generic_botnet | 312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7

Analysis

max time kernel
36s
max time network
155s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Size

448KB
MD5

2075e021c9c74f74e94854d5792c3fc4
SHA1

ef998c92ee0f768ed86cb7a1fba1c9847007e62b
SHA256

312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7
SHA512

47ac95f6517cf4e32968cb1127446fd38fd34ad4851d0e610a8475b2186804da90de08fa4baff2879be743d2f0e166420b26d108afada3d84a5ddbaaf2755af4
SSDEEP

3072:ynAdrtGJGxJ9ptWrvjDb9jY+3Eeh0zlR3C7E6LUKrwt192MeAgzh3xJ+apj6+GiP:tiGv9ptWFZEeShRyhrOjN2xJZpjrZP

Score

10^/10

chinese_generic_botnet sality backdoor botnet evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Chinese Botnet payload 4 IoCs

botnet

resource	yara_rule
behavioral1/memory/2084-23-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral1/memory/2184-150-0x0000000000400000-0x0000000000470000-memory.dmp	unk_chinese_botnet
behavioral1/memory/772-173-0x0000000000400000-0x0000000000470000-memory.dmp	unk_chinese_botnet
behavioral1/memory/2084-186-0x0000000000400000-0x0000000000470000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 1 IoCs

pid	Process
2184	Terms.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-4-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-5-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-7-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-10-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-14-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-17-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-21-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-22-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-28-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-29-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-30-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-31-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-32-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-42-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-43-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-44-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-46-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-48-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-50-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-52-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-53-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-54-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-61-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-67-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2084-68-0x0000000000630000-0x00000000016BE000-memory.dmp	upx
behavioral1/memory/2184-74-0x00000000005E0000-0x000000000166E000-memory.dmp	upx
behavioral1/memory/2184-77-0x00000000005E0000-0x000000000166E000-memory.dmp	upx
behavioral1/memory/2184-78-0x00000000005E0000-0x000000000166E000-memory.dmp	upx
behavioral1/memory/2184-121-0x00000000005E0000-0x000000000166E000-memory.dmp	upx
behavioral1/memory/2184-151-0x00000000005E0000-0x000000000166E000-memory.dmp	upx

Windows security modification 2 TTPs 20 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Terms.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	Terms.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\M:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\O:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\Q:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\R:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\S:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\T:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\E:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\G:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\H:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\I:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\J:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\N:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\K:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\P:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\V:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\U:	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened (read-only)	\??\E:	Terms.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\1414748499 = "136"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\1364026700 = "35"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}\76-c4-c5-a2-36-56	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-c5-a2-36-56\WpadDecisionReason = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-c5-a2-36-56	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\-101443598 = "0800687474703A2F2F616C7468617772792E6F72672F696D616765732F78732E6A706700687474703A2F2F7777772E6361726565726465736B2E6F72672F696D616765732F78732E6A706700687474703A2F2F6172746875722E6E697269612E62697A2F78732E6A706700687474703A2F2F616D73616D65782E636F6D2F78732E6A706700687474703A2F2F6170706C652D7069652E696E2F696D616765732F78732E6A706700687474703A2F2F61686D65646979652E6E65742F78732E6A706700687474703A2F2F67322E6172726F776869746563682E636F6D2F78732E6A706700687474703A2F2F616D7079617A696C696D2E636F6D2E74722F696D616765732F7873322E6A7067"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-c5-a2-36-56\WpadDecisionTime = c0273fdc81d6d901	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}\WpadDecisionTime = c0273fdc81d6d901	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}\WpadDecision = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\1313304901 = "23E4F7F25F8A545EF07859773043475EDD1D103E2D9C27F1F3A268ED09F30DE884DB9D92FD831B72EEF599E8C233EB23FBE7145BFA46281679ED385593CEE8869548167F08C5681A4B967232DBC5E0E01EC06026FCE8B24FCB589B28C073413E3C9C326851C4731397E851C96D85B6EDDDAA4E25FA227776D385991927AE94FC"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\-1465470298 = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\-1516192097 = "267"	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C950E98-D830-4DE2-AB83-B861DB2F45C2}\WpadNetworkName = "Network 2"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_0 = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\-50721799 = "0"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Terms.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_0 = "3299283285"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_0 = "9832"	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_0 = "17001001"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0051000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c4-c5-a2-36-56\WpadDecision = "0"	Terms.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
2184	Terms.exe
2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2184	Terms.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
Token: SeDebugPrivilege	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1116	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	11
PID 2084 wrote to memory of 1168	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	12
PID 2084 wrote to memory of 1196	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	13
PID 2084 wrote to memory of 1692	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	16
PID 2084 wrote to memory of 1116	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	11
PID 2084 wrote to memory of 1168	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	12
PID 2084 wrote to memory of 1196	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	13
PID 2084 wrote to memory of 2480	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	28
PID 2084 wrote to memory of 2728	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	29
PID 2084 wrote to memory of 1116	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	11
PID 2084 wrote to memory of 1168	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	12
PID 2084 wrote to memory of 1196	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	13
PID 2084 wrote to memory of 2480	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	28
PID 2184 wrote to memory of 1116	2184	Terms.exe	11
PID 2184 wrote to memory of 1168	2184	Terms.exe	12
PID 2184 wrote to memory of 1196	2184	Terms.exe	13
PID 2184 wrote to memory of 2084	2184	Terms.exe	27
PID 2184 wrote to memory of 2480	2184	Terms.exe	28
PID 2084 wrote to memory of 1116	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	11
PID 2084 wrote to memory of 1168	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	12
PID 2084 wrote to memory of 1196	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	13
PID 2084 wrote to memory of 2480	2084	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Terms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe
  "C:\Users\Admin\AppData\Local\Temp\312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2728

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2184
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Terms.exe

Filesize
448KB

MD5
2075e021c9c74f74e94854d5792c3fc4

SHA1
ef998c92ee0f768ed86cb7a1fba1c9847007e62b

SHA256
312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7

SHA512
47ac95f6517cf4e32968cb1127446fd38fd34ad4851d0e610a8475b2186804da90de08fa4baff2879be743d2f0e166420b26d108afada3d84a5ddbaaf2755af4

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
448KB

MD5
2075e021c9c74f74e94854d5792c3fc4

SHA1
ef998c92ee0f768ed86cb7a1fba1c9847007e62b

SHA256
312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7

SHA512
47ac95f6517cf4e32968cb1127446fd38fd34ad4851d0e610a8475b2186804da90de08fa4baff2879be743d2f0e166420b26d108afada3d84a5ddbaaf2755af4

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
448KB

MD5
2075e021c9c74f74e94854d5792c3fc4

SHA1
ef998c92ee0f768ed86cb7a1fba1c9847007e62b

SHA256
312f26c90b45e92809ad3dfb3e72f450413deb21ef8fb4cf8d2404b12a9d6cd7

SHA512
47ac95f6517cf4e32968cb1127446fd38fd34ad4851d0e610a8475b2186804da90de08fa4baff2879be743d2f0e166420b26d108afada3d84a5ddbaaf2755af4

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
d49c1dabd8179a160cb0bce97c82a6c3

SHA1
3d4a52c32926c2049de2a2b803348521155d4135

SHA256
254daa667468ec81f1c3c0361743a1d680cfa16051c6d20d83ed950313c41461

SHA512
f4ec60939dcdfaa734ac9376764a30d9a95bb2fcdea984a2316aa051b9780406f89eb799934cab69b8028e7460269b56e274a9812ac41e3c605ee6b8584af585

Download Submit
C:\rvbpv.exe

Filesize
100KB

MD5
515250c8786fef5c17471458c1457e0d

SHA1
8c7a75d4657fdab200b7319355f9c350be0e7cea

SHA256
90ef862a3405ac2d839904d3060c97694cf6b5230533e0963b1bbb83ad49e0af

SHA512
6823f4930b2d344acf410f3c7fdcd3ed85aa320417ee645ecc8b5b02b43b861b9f7f6ea8c2dab1beea46e512e480db48346e9ba6eb30754535417f71701d80ce

Download Submit
memory/772-173-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1116-6-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/2084-44-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-52-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-18-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2084-20-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2084-17-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-21-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-22-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-25-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2084-23-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2084-28-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-29-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-30-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-31-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-32-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-33-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2084-42-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-43-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2084-46-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-48-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-50-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-16-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2084-53-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-54-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-61-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-67-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-68-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-14-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-186-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2084-2-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-10-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-4-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-5-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2084-7-0x0000000000630000-0x00000000016BE000-memory.dmp

Filesize
16.6MB

Download
memory/2184-121-0x00000000005E0000-0x000000000166E000-memory.dmp

Filesize
16.6MB

Download
memory/2184-78-0x00000000005E0000-0x000000000166E000-memory.dmp

Filesize
16.6MB

Download
memory/2184-150-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2184-151-0x00000000005E0000-0x000000000166E000-memory.dmp

Filesize
16.6MB

Download
memory/2184-77-0x00000000005E0000-0x000000000166E000-memory.dmp

Filesize
16.6MB

Download
memory/2184-74-0x00000000005E0000-0x000000000166E000-memory.dmp

Filesize
16.6MB

Download
memory/2184-75-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download