sality | 18406570651fe8d84cd113ce296ba24cc18c8d7c0c49c2bdecfb2dc406a720cf

Analysis

max time kernel
56s
max time network
57s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27.exe
Size

16.4MB
MD5

d5e4ae893072bfdb88729dd6b572a410
SHA1

1c05484521c3510b47b6b1d82a4662a5467929fc
SHA256

18406570651fe8d84cd113ce296ba24cc18c8d7c0c49c2bdecfb2dc406a720cf
SHA512

f2d02fc89da1e8250f36d9535567d975c807ab6a159d0d2bf05fecc2f50ef385810b5d254e86a64c98af4ef2671f2490c44d04a0fa66d1ac8f1b6a804d131338
SSDEEP

393216:JYn/8ChcK7ZaawHar7H3S+15X9daChPPX4DnpnVVpXrsi:JY/8ChbkawHY7H19QWPX2nVVp7l

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Runner.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Runner.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Runner.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	Runner.exe

Loads dropped DLL 8 IoCs

pid	Process
1636	27.exe
1636	27.exe
1636	27.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-67-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-68-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-71-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-70-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-73-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-72-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-64-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-61-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-69-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-66-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-65-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-109-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-111-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-110-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-113-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-141-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-142-0x0000000002550000-0x00000000035DE000-memory.dmp	upx
behavioral1/memory/2916-144-0x0000000002550000-0x00000000035DE000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Runner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	Runner.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Runner.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Runner.exe
File opened (read-only)	\??\J:	Runner.exe
File opened (read-only)	\??\M:	Runner.exe
File opened (read-only)	\??\N:	Runner.exe
File opened (read-only)	\??\O:	Runner.exe
File opened (read-only)	\??\W:	Runner.exe
File opened (read-only)	\??\Y:	Runner.exe
File opened (read-only)	\??\I:	Runner.exe
File opened (read-only)	\??\P:	Runner.exe
File opened (read-only)	\??\Q:	Runner.exe
File opened (read-only)	\??\R:	Runner.exe
File opened (read-only)	\??\T:	Runner.exe
File opened (read-only)	\??\G:	Runner.exe
File opened (read-only)	\??\K:	Runner.exe
File opened (read-only)	\??\L:	Runner.exe
File opened (read-only)	\??\U:	Runner.exe
File opened (read-only)	\??\Z:	Runner.exe
File opened (read-only)	\??\H:	Runner.exe
File opened (read-only)	\??\S:	Runner.exe
File opened (read-only)	\??\V:	Runner.exe
File opened (read-only)	\??\X:	Runner.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Runner.exe
File opened for modification	F:\autorun.inf	Runner.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Runner.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	Runner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "6a9dd8da"	27.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	27.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\ = "QMPlugin.File"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MyMacro\\plugin\\FILE.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.File"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.File"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.File\CLSID\ = "{57477331-126E-4FC8-B430-1C6143484AA9}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2688	PING.EXE
1752	PING.EXE
1308	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1636	27.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe
Token: SeDebugPrivilege	2916	Runner.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1636	27.exe
1636	27.exe
1636	27.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1636	27.exe
1636	27.exe
1636	27.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
1636	27.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
2916	Runner.exe
1636	27.exe
2916	Runner.exe
2916	Runner.exe
1636	27.exe
1636	27.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2688	1636	27.exe	28
PID 1636 wrote to memory of 2688	1636	27.exe	28
PID 1636 wrote to memory of 2688	1636	27.exe	28
PID 1636 wrote to memory of 2688	1636	27.exe	28
PID 1636 wrote to memory of 2916	1636	27.exe	30
PID 1636 wrote to memory of 2916	1636	27.exe	30
PID 1636 wrote to memory of 2916	1636	27.exe	30
PID 1636 wrote to memory of 2916	1636	27.exe	30
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 2916 wrote to memory of 1636	2916	Runner.exe	27
PID 2916 wrote to memory of 1636	2916	Runner.exe	27
PID 2916 wrote to memory of 2688	2916	Runner.exe	28
PID 2916 wrote to memory of 2688	2916	Runner.exe	28
PID 2916 wrote to memory of 2448	2916	Runner.exe	29
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 1636 wrote to memory of 1752	1636	27.exe	32
PID 1636 wrote to memory of 1752	1636	27.exe	32
PID 1636 wrote to memory of 1752	1636	27.exe	32
PID 1636 wrote to memory of 1752	1636	27.exe	32
PID 1636 wrote to memory of 1308	1636	27.exe	34
PID 1636 wrote to memory of 1308	1636	27.exe	34
PID 1636 wrote to memory of 1308	1636	27.exe	34
PID 1636 wrote to memory of 1308	1636	27.exe	34
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 2916 wrote to memory of 1056	2916	Runner.exe	18
PID 2916 wrote to memory of 1088	2916	Runner.exe	19
PID 2916 wrote to memory of 1180	2916	Runner.exe	21
PID 2916 wrote to memory of 2160	2916	Runner.exe	23
PID 2916 wrote to memory of 1424	2916	Runner.exe	39

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Runner.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1056

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\27.exe
  "C:\Users\Admin\AppData\Local\Temp\27.exe"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
    3⤵
    - Runs ping.exe
    PID:2688
- - C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
    --host_id 3 --verify_key 4DquLl6Qoo1W --product "C:\Users\Admin\AppData\Local\Temp\27.exe" --version 2014.05.17762
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2916
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
    3⤵
    - Runs ping.exe
    PID:1752
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
    3⤵
    - Runs ping.exe
    PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-638692015508924019801010921782926179-2017591750-1851432044-17194426881034049663"
1⤵
PID:2448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QMLog\20240512.log

Filesize
324B

MD5
68d56c34590edd87cb314d379991a243

SHA1
585e633f81500bb030c08b4dfb3573c65de589f9

SHA256
c250792fb97e1b521648fc5aee2b4d15b5ed0d9f376b5ea094e3faaecda4f657

SHA512
b387b55f5990bdc5cfb79c365279333464878a4d9f98d35f450accbcee8dcdc19d95ceecdce928d06aa662361183057641eab832ad672da23b09c72fe543cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac29EE.tmp

Filesize
334B

MD5
b710ac0159d04681fafe19d6faf94e21

SHA1
1db4532f1fcef0fe5f71eb594130e68ced6bd754

SHA256
c40c60491004e3dd9bcbbb3636366b213c2bec004da7f1fe0b235aca1ae428d5

SHA512
6872745730688e7a8259e1605ec81fb451cedcf5ffc6f4c1eb28d8c6abbd100e3bef40725489daba19ba11740c67cfcb93467e98427dcaf13912392c464e9a56

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\plugin\FILE.dll

Filesize
64KB

MD5
4723c8d438821f0b0bc7edfe9811a1dc

SHA1
26af38caf333364e6f3c613a374055c58d241ced

SHA256
5fae639451537023dac63435b819b8b8c7ef96dc2fcf768c5f43172e2bb8ab65

SHA512
c7d68bf0b5ceba48548bbd31799570125299a33fe63583e1a2bac0a91372132a928ab1d1907f72860aa1002f231133a2643e2132e3009d81d05d4a2a17c4c15e

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\plugin\FILE.ini

Filesize
2KB

MD5
e04472109d3e00286933cc1675760427

SHA1
c0c2ed2fda1884b5d00c6d292589a3920907eaa3

SHA256
06e641716fe6ffb936655579a63aca7d16dfc8f24f9ba8498a53c0359dc158a5

SHA512
bf42775f9de3653e583838d8dec718bc8c993a350593e0146159da6869d2edc67d0266d6f7dea8eb3cfa3c8fa8e8ebdf5454144f0a347646df3fa6cf3802fc87

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
F:\jcjpt.pif

Filesize
100KB

MD5
7ef9156528314f0dec47b6f989bbe79f

SHA1
69f13d0ea41cfebc96eb770b9e77f017a75af4d0

SHA256
f17aec26264e36155810e0925ab6dce9e0c01acac3a8781bf15332fdc247a211

SHA512
9b4702619d0b886a4362f0c185c6bde4cb57a886d42ef7bf033775307b28b604446041cbac679cfda0031c05657b4f6d1853c492fa07195ccf134c5de0efee13

Download Submit
\Users\Admin\AppData\Local\Temp\27.exe

Filesize
16.4MB

MD5
d5e4ae893072bfdb88729dd6b572a410

SHA1
1c05484521c3510b47b6b1d82a4662a5467929fc

SHA256
18406570651fe8d84cd113ce296ba24cc18c8d7c0c49c2bdecfb2dc406a720cf

SHA512
f2d02fc89da1e8250f36d9535567d975c807ab6a159d0d2bf05fecc2f50ef385810b5d254e86a64c98af4ef2671f2490c44d04a0fa66d1ac8f1b6a804d131338

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.3MB

MD5
dc33dd88807b544d1a45fa30b11d1751

SHA1
82724439b8c4117941fa515366b3cf6ac414e65b

SHA256
8849bc9012db7be6c38b3c4c00dd4f1698fb2953d82ddc0de48639521ad4ecdf

SHA512
39f7eccbe784dd5265a916dc160942ab5aea92641bc3a72eb1b1433f33ab8497f4ef96a9e5f10599657b8f67fc84bce55da70c42784293c225dab75471a74dd6

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
memory/1056-75-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1636-88-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1636-62-0x0000000006130000-0x0000000006874000-memory.dmp

Filesize
7.3MB

Download
memory/1636-85-0x0000000003B40000-0x0000000003B42000-memory.dmp

Filesize
8KB

Download
memory/1636-60-0x0000000006130000-0x0000000006874000-memory.dmp

Filesize
7.3MB

Download
memory/1636-86-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1636-104-0x0000000003B40000-0x0000000003B42000-memory.dmp

Filesize
8KB

Download
memory/2688-105-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2688-107-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2688-94-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2916-113-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-111-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-69-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-66-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-65-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-73-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-64-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-74-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/2916-102-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2916-110-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-61-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-72-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-109-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-70-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-71-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-141-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-140-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/2916-142-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-144-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-68-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-67-0x0000000002550000-0x00000000035DE000-memory.dmp

Filesize
16.6MB

Download
memory/2916-298-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/2916-103-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download