Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
General
-
Target
576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe
-
Size
2.0MB
-
MD5
5db56687e8a5f8c6427ce66553e4e114
-
SHA1
3a12d269e92069003f9df495781014a7c2c792ab
-
SHA256
576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d
-
SHA512
2a4bafc2784776a17bb079cbf6e7a0b29f3e611e07eba10bcad8cb18b0f268a027caf848ab2ab2ee240826c7f3686944addb9ebd428cc07ae5cdf121347f61bb
-
SSDEEP
49152:XHQgiu6miKiBRWWlMO2CRvNEhJUZE+e6128bacag:XLiu6miZB5l+qvuUZhm8bacag
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation loader.exe -
Executes dropped EXE 2 IoCs
pid Process 4840 loader.exe 3156 LUpdater.exe -
resource yara_rule behavioral2/memory/2628-1-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral2/memory/2628-3-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral2/memory/2628-17-0x0000000002400000-0x00000000034BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\ loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\webclient.exe LUpdater.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUpdater.exe loader.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUPDATER\2024-01-13.log LUpdater.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\config.ini loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUpdater.exe loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\setdownloadfiles.ini LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\loader.exe LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\libdata.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\lbw919.dat LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\config.ini 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\cybercafe.ini 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\webuhaozu.xml loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\uWebGames.exe LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\node.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\nfapi.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\mb.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\Redirector.bin LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\QRCodedll.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\Netdll.dll LUpdater.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\config.dat 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\nfdriver.sys LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\lppi.exe LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\li.dat LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\dllclient.dll LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\rd.bin LUpdater.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\testurl.ini loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\LUpdater.exe loader.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\testurl.ini LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\lbr914.dat LUpdater.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\loader.exe 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\ver.ini 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File opened for modification C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUPDATER\2024-01-13.log loader.exe File created C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\.temp\sysx.sys LUpdater.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e574a47 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe File opened for modification C:\Windows\SYSTEM.INI 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 4840 loader.exe 4840 loader.exe 4840 loader.exe 4840 loader.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe Token: SeDebugPrivilege 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 3156 LUpdater.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2628 wrote to memory of 760 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 90 PID 2628 wrote to memory of 764 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 89 PID 2628 wrote to memory of 60 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 8 PID 2628 wrote to memory of 2520 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 63 PID 2628 wrote to memory of 2536 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 62 PID 2628 wrote to memory of 2680 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 59 PID 2628 wrote to memory of 3476 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 46 PID 2628 wrote to memory of 3608 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 45 PID 2628 wrote to memory of 3816 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 44 PID 2628 wrote to memory of 3908 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 42 PID 2628 wrote to memory of 3976 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 41 PID 2628 wrote to memory of 4060 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 40 PID 2628 wrote to memory of 3628 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 39 PID 2628 wrote to memory of 4840 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 43 PID 2628 wrote to memory of 4840 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 43 PID 2628 wrote to memory of 4840 2628 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe 43 PID 4840 wrote to memory of 3156 4840 loader.exe 101 PID 4840 wrote to memory of 3156 4840 loader.exe 101 PID 4840 wrote to memory of 3156 4840 loader.exe 101 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe"C:\Users\Admin\AppData\Local\Temp\576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2628 -
C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\loader.exe"C:\Users\Admin\AppData\Local\Temp\576ce942efa95cc4e4883d0b6d627fd36518264fc0fa6075ed3cdb81730dbc2d.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUpdater.exe"C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\LUpdater.exe" -url=https://update.yxb321.com/files/webuhaozu/Update.xml -e="C:\Program Files (x86)\f284c7fdc9deb65b00c2d2594d40b0e9\webclient.exe" -p="c_uhaozu.zhanghaodaren.com:0" -st=2 -pid=48403⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3156
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2536
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2520
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD56129b497ff66d24c2ed132afb84a1fa2
SHA1946233b90552aa512932138419c106ff166651e9
SHA25605f8c5e26bc01f9cc90f25a06baef907225e9dc84d4168d96a287e1c51ce4aa8
SHA512cda0d21b1ffe0b818a70b832a7d0df748eed23e09986c0e610abc00c694fe8f685430c81fe7d8a4dd90910be50b29d2870d39a0f097dcae14b28a29ba4e576cb
-
Filesize
979B
MD51cfab9f4aeb50b6783056b85b862b182
SHA168bce2e3ac26c418e6dfe219c8a12de403d3550a
SHA256051ce55b17a15c1c54908a93faed091adf0e5d71b54b9d15e63221d09fa80d70
SHA512c0d7da2e0fe970fd81bde0d26b6e3365ad6e99bc710ff735dcc2f98c9c8265ec2f457289e8fea73b50fa9c48899ce5d27244ffcb25d0c8dca5ed29d4c69dd5cf
-
Filesize
848KB
MD5554dff876b438ec403a13e637aa500b1
SHA1658789fce7b2833a6cf5a89ed952d4e1dfd4314d
SHA25689dbaed7ce62f2e8c0e27ae8a492e6271dd87284a9f9b30e045bee4631c34602
SHA512a58ab5f5751ccad283326ade45c28e8298696ad554d06aedb9528d05c042addb8ff3344c9f5aa83da3baa624ae22e9f7aedb9bdf231129ccb0bddac92db0fd53
-
Filesize
127B
MD5da48fc366362ed07d6e9b402c9d4ea23
SHA1da712d05087a19d23a0f3f76732bd7955ecd6941
SHA256547bf9ef87398006e8556a230745bdecaa177012ca87f18c62b72118a972a296
SHA512d8b6f6889bbeb20e543e80dd1731bda3307d3f5850886aa2db01c76285139b0924ef16b742b622dc3991d7afec3948161f4d2bc6bc152e0e068b2a756f556121
-
Filesize
95B
MD5164c478e59f54db3dfadaa362391950d
SHA10dbb4024eb85b518d3e22fc5efdb09ed2230f531
SHA2568d2c2087157f5c583ccd66e5c8e3e9dd00e85befc68c3bba41733b9b5f7777b5
SHA512bfe6353b32b1d87491648e65a28fb43c10477fbcebd52bcec54bff0feb5fb2fedcdab108113d11b646f1e28803b3a93db32b4408010444c16d4e23d883e0c004
-
Filesize
198KB
MD50abd0b63b00ff588ffbcdd233684276a
SHA1668d438bca0a4c56774b86ee3ce767d7b5f7dcfe
SHA25679fc68190c263e69148200d7b21c9e04c36b1d2bbbc206a74e91d4e4388568f3
SHA5128427f95bcb7797ca087983e810fa72eed1e65c0ac69ef56419ea45f1c5be2171d874c28f80cd21feddb2b066beb8c8187763758491f40183f4901b2f29959a76
-
Filesize
395KB
MD55d2c205f0ec24add16702a1e6af6d9f4
SHA1c4c45b3a77fa03f3daaed3185e69a3f84c0a4c56
SHA2568f9755cb68126bf496221573e3061dc6806580f312b164e37d6a725853b0a39d
SHA5121a8241e92e89d9ad62b9b8913e5bb037a07f9ab709c348e3740c44a1c4cde1a3f33687fc86bb9a534e6e3cb37bda0cc39b77f73e4beb8a425d482f75ebe5da5c