sality | 7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b

Windows Service

T1543.003

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

pid process

2780 Logo1_.exe
1520 7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe.exe	upx
behavioral2/memory/1520-18-0x0000000000400000-0x00000000006E5000-memory.dmp	upx
behavioral2/memory/1520-19-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-21-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-22-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-23-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-24-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-25-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-26-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-27-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-28-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-41-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-42-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-44-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-45-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-46-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-48-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-49-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-50-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-52-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-55-0x0000000000400000-0x00000000006E5000-memory.dmp	upx
behavioral2/memory/1520-53-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-57-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-59-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-62-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-64-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-66-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-68-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-75-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-77-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-87-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-89-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-91-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-94-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-96-0x0000000002600000-0x000000000368E000-memory.dmp	upx
behavioral2/memory/1520-99-0x0000000002600000-0x000000000368E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exeLogo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\I:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\J:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\N:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\S:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\T:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\M:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\O:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\X:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\U:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\V:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\Z:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\Q:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\K:	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
File opened for modification	C:\autorun.inf	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File opened for modification	F:\autorun.inf	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

Processes:

Logo1_.exe7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\SYSTEM.INI	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
File created	C:\Windows\Logo1_.exe	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Logo1_.exe7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

pid	process
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	pid	process
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
Token: SeDebugPrivilege	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

pid	process
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exeLogo1_.exenet.execmd.exe7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	pid	process	target process
PID 316 wrote to memory of 940	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	cmd.exe
PID 316 wrote to memory of 940	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	cmd.exe
PID 316 wrote to memory of 940	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	cmd.exe
PID 316 wrote to memory of 2780	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Logo1_.exe
PID 316 wrote to memory of 2780	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Logo1_.exe
PID 316 wrote to memory of 2780	316	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Logo1_.exe
PID 2780 wrote to memory of 1420	2780	Logo1_.exe	net.exe
PID 2780 wrote to memory of 1420	2780	Logo1_.exe	net.exe
PID 2780 wrote to memory of 1420	2780	Logo1_.exe	net.exe
PID 1420 wrote to memory of 2268	1420	net.exe	net1.exe
PID 1420 wrote to memory of 2268	1420	net.exe	net1.exe
PID 1420 wrote to memory of 2268	1420	net.exe	net1.exe
PID 940 wrote to memory of 1520	940	cmd.exe	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
PID 940 wrote to memory of 1520	940	cmd.exe	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
PID 940 wrote to memory of 1520	940	cmd.exe	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
PID 1520 wrote to memory of 792	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 800	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 380	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	dwm.exe
PID 1520 wrote to memory of 2636	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	sihost.exe
PID 1520 wrote to memory of 2668	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	svchost.exe
PID 1520 wrote to memory of 2828	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	taskhostw.exe
PID 1520 wrote to memory of 3364	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Explorer.EXE
PID 1520 wrote to memory of 3556	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	svchost.exe
PID 1520 wrote to memory of 3760	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	DllHost.exe
PID 1520 wrote to memory of 3848	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	StartMenuExperienceHost.exe
PID 1520 wrote to memory of 3916	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4008	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	SearchApp.exe
PID 1520 wrote to memory of 432	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4536	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	TextInputHost.exe
PID 1520 wrote to memory of 3940	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4408	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	backgroundTaskHost.exe
PID 1520 wrote to memory of 4568	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	backgroundTaskHost.exe
PID 1520 wrote to memory of 3144	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	backgroundTaskHost.exe
PID 1520 wrote to memory of 940	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	cmd.exe
PID 1520 wrote to memory of 940	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	cmd.exe
PID 1520 wrote to memory of 2780	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Logo1_.exe
PID 1520 wrote to memory of 2780	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Logo1_.exe
PID 1520 wrote to memory of 3868	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Conhost.exe
PID 2780 wrote to memory of 3364	2780	Logo1_.exe	Explorer.EXE
PID 2780 wrote to memory of 3364	2780	Logo1_.exe	Explorer.EXE
PID 1520 wrote to memory of 792	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 800	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 380	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	dwm.exe
PID 1520 wrote to memory of 2636	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	sihost.exe
PID 1520 wrote to memory of 2668	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	svchost.exe
PID 1520 wrote to memory of 2828	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	taskhostw.exe
PID 1520 wrote to memory of 3364	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Explorer.EXE
PID 1520 wrote to memory of 3556	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	svchost.exe
PID 1520 wrote to memory of 3760	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	DllHost.exe
PID 1520 wrote to memory of 3848	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	StartMenuExperienceHost.exe
PID 1520 wrote to memory of 3916	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4008	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	SearchApp.exe
PID 1520 wrote to memory of 432	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4536	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	TextInputHost.exe
PID 1520 wrote to memory of 3940	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4408	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	backgroundTaskHost.exe
PID 1520 wrote to memory of 4568	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	backgroundTaskHost.exe
PID 1520 wrote to memory of 3868	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	Conhost.exe
PID 1520 wrote to memory of 2892	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 4448	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	RuntimeBroker.exe
PID 1520 wrote to memory of 792	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 800	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	fontdrvhost.exe
PID 1520 wrote to memory of 380	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	dwm.exe
PID 1520 wrote to memory of 2636	1520	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe	sihost.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2828

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
"C:\Users\Admin\AppData\Local\Temp\7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33B2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe
"C:\Users\Admin\AppData\Local\Temp\7c1454bb85428230d10e8afc863e2207e53cf6aa9c47735dcf18b73d49244a7b.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:432

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4536

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4568

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media