sality | ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95

Windows Service

T1543.003

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

Logo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

pid	process
1664	Logo1_.exe
1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
4252	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1600-20-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1600-22-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1600-23-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1600-24-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1600-40-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1600-44-0x00000000008D0000-0x000000000195E000-memory.dmp	upx
behavioral2/memory/1664-64-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-67-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-68-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-72-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-71-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-69-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-66-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-70-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-73-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-75-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-76-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-77-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-78-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-79-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-81-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-82-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-89-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-92-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-93-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-94-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-96-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-100-0x00000000033F0000-0x000000000447E000-memory.dmp	upx
behavioral2/memory/1664-102-0x00000000033F0000-0x000000000447E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Windows directory 7 IoCs

Processes:

Logo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\SYSTEM.INI	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File opened for modification	C:\Windows\rundl132.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\Logo1_.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
File created	C:\Windows\Logo1_.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Logo1_.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

pid	process
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

description	pid	process
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Token: SeDebugPrivilege	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exenet.execmd.execa39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.execmd.exe

description	pid	process	target process
PID 4788 wrote to memory of 5084	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 4788 wrote to memory of 5084	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 4788 wrote to memory of 5084	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 4788 wrote to memory of 1664	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 4788 wrote to memory of 1664	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 4788 wrote to memory of 1664	4788	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 1664 wrote to memory of 2484	1664	Logo1_.exe	net.exe
PID 1664 wrote to memory of 2484	1664	Logo1_.exe	net.exe
PID 1664 wrote to memory of 2484	1664	Logo1_.exe	net.exe
PID 2484 wrote to memory of 4192	2484	net.exe	net1.exe
PID 2484 wrote to memory of 4192	2484	net.exe	net1.exe
PID 2484 wrote to memory of 4192	2484	net.exe	net1.exe
PID 5084 wrote to memory of 1600	5084	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 5084 wrote to memory of 1600	5084	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 5084 wrote to memory of 1600	5084	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 1600 wrote to memory of 784	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	fontdrvhost.exe
PID 1600 wrote to memory of 792	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	fontdrvhost.exe
PID 1600 wrote to memory of 1020	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	dwm.exe
PID 1600 wrote to memory of 2504	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	sihost.exe
PID 1600 wrote to memory of 2564	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	svchost.exe
PID 1600 wrote to memory of 2692	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	taskhostw.exe
PID 1600 wrote to memory of 3460	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Explorer.EXE
PID 1600 wrote to memory of 3604	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	svchost.exe
PID 1600 wrote to memory of 3792	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	DllHost.exe
PID 1600 wrote to memory of 3896	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	StartMenuExperienceHost.exe
PID 1600 wrote to memory of 3960	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	RuntimeBroker.exe
PID 1600 wrote to memory of 4084	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	SearchApp.exe
PID 1600 wrote to memory of 4140	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	RuntimeBroker.exe
PID 1600 wrote to memory of 4464	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	RuntimeBroker.exe
PID 1600 wrote to memory of 336	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	TextInputHost.exe
PID 1600 wrote to memory of 1316	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	backgroundTaskHost.exe
PID 1600 wrote to memory of 412	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	backgroundTaskHost.exe
PID 1600 wrote to memory of 5084	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 5084	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 1664	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 1600 wrote to memory of 1664	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Logo1_.exe
PID 1600 wrote to memory of 3016	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	Conhost.exe
PID 1600 wrote to memory of 828	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 828	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 828	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 828	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1600 wrote to memory of 828	1600	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe	cmd.exe
PID 1664 wrote to memory of 3460	1664	Logo1_.exe	Explorer.EXE
PID 1664 wrote to memory of 3460	1664	Logo1_.exe	Explorer.EXE
PID 828 wrote to memory of 4252	828	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 828 wrote to memory of 4252	828	cmd.exe	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
PID 1664 wrote to memory of 784	1664	Logo1_.exe	fontdrvhost.exe
PID 1664 wrote to memory of 792	1664	Logo1_.exe	fontdrvhost.exe
PID 1664 wrote to memory of 1020	1664	Logo1_.exe	dwm.exe
PID 1664 wrote to memory of 2504	1664	Logo1_.exe	sihost.exe
PID 1664 wrote to memory of 2564	1664	Logo1_.exe	svchost.exe
PID 1664 wrote to memory of 2692	1664	Logo1_.exe	taskhostw.exe
PID 1664 wrote to memory of 3460	1664	Logo1_.exe	Explorer.EXE
PID 1664 wrote to memory of 3604	1664	Logo1_.exe	svchost.exe
PID 1664 wrote to memory of 3792	1664	Logo1_.exe	DllHost.exe
PID 1664 wrote to memory of 3896	1664	Logo1_.exe	StartMenuExperienceHost.exe
PID 1664 wrote to memory of 3960	1664	Logo1_.exe	RuntimeBroker.exe
PID 1664 wrote to memory of 4084	1664	Logo1_.exe	SearchApp.exe
PID 1664 wrote to memory of 4140	1664	Logo1_.exe	RuntimeBroker.exe
PID 1664 wrote to memory of 4464	1664	Logo1_.exe	RuntimeBroker.exe
PID 1664 wrote to memory of 336	1664	Logo1_.exe	TextInputHost.exe
PID 1664 wrote to memory of 1316	1664	Logo1_.exe	backgroundTaskHost.exe
PID 1664 wrote to memory of 4052	1664	Logo1_.exe	RuntimeBroker.exe
PID 1664 wrote to memory of 1740	1664	Logo1_.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2692

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7474.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7733.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe
"C:\Users\Admin\AppData\Local\Temp\ca39977d2c63551e523b49bba341434d7bd1de45a5dc78e7102f2854d21f3e95.exe"
6⤵
- Executes dropped EXE
PID:4252

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:336

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1316

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools