sality | 89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

explorer.exe89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3060-7-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-9-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-5-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-10-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-8-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-6-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-12-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-11-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-13-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-91-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-102-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-95-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/3060-126-0x00000000025D0000-0x000000000365E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-207-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-204-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-206-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-205-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-211-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2800-202-0x0000000003450000-0x00000000044DE000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
C:\asjdb.pif	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3060-7-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-9-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-5-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-10-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-8-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-6-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-12-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-11-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-13-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-91-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/2040-106-0x0000000000400000-0x0000000000441000-memory.dmp	UPX
behavioral1/memory/2780-117-0x0000000000400000-0x0000000000441000-memory.dmp	UPX
behavioral1/memory/3060-102-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/3060-95-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/2668-125-0x0000000000400000-0x0000000000441000-memory.dmp	UPX
behavioral1/memory/3060-139-0x0000000000400000-0x0000000000441000-memory.dmp	UPX
behavioral1/memory/3060-126-0x00000000025D0000-0x000000000365E000-memory.dmp	UPX
behavioral1/memory/2008-120-0x0000000000400000-0x0000000000441000-memory.dmp	UPX
behavioral1/memory/2800-207-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX
behavioral1/memory/2800-204-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX
behavioral1/memory/2800-206-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX
behavioral1/memory/2800-205-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX
behavioral1/memory/2800-211-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX
behavioral1/memory/2800-202-0x0000000003450000-0x00000000044DE000-memory.dmp	UPX

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2800 explorer.exe

pid	process
2800	explorer.exe

Executes dropped EXE 8 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe360TS_Setup.exe360TS_Setup.exe

pid	process
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2668	icsys.icn.exe
2800	explorer.exe
2008	spoolsv.exe
2040	svchost.exe
2780	spoolsv.exe
2664	360TS_Setup.exe
2600	360TS_Setup.exe

Loads dropped DLL 19 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe360TS_Setup.exe360TS_Setup.exe

pid	process
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2668	icsys.icn.exe
2668	icsys.icn.exe
2800	explorer.exe
2800	explorer.exe
2008	spoolsv.exe
2008	spoolsv.exe
2040	svchost.exe
2040	svchost.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2664	360TS_Setup.exe
2664	360TS_Setup.exe
2600	360TS_Setup.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3060-7-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-9-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-5-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-10-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-8-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-6-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-12-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-11-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-13-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-91-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-102-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-95-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/3060-126-0x00000000025D0000-0x000000000365E000-memory.dmp	upx
behavioral1/memory/2800-207-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral1/memory/2800-204-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral1/memory/2800-206-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral1/memory/2800-205-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral1/memory/2800-211-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral1/memory/2800-202-0x0000000003450000-0x00000000044DE000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe 360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 2 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\1716345634_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1716345634_0\360TS_Setup.exe	360TS_Setup.exe

Drops file in Windows directory 6 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2668	icsys.icn.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2040	svchost.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe
2800	explorer.exe
2040	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2800 explorer.exe
2040 svchost.exe

pid	process
2800	explorer.exe
2040	svchost.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe explorer.exe

description	pid	process
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeManageVolumePrivilege	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

pid	process
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

pid	process
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
2668	icsys.icn.exe
2668	icsys.icn.exe
2800	explorer.exe
2800	explorer.exe
2008	spoolsv.exe
2008	spoolsv.exe
2040	svchost.exe
2040	svchost.exe
2780	spoolsv.exe
2780	spoolsv.exe
2800	explorer.exe
2800	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe 360TS_Setup.exe

description	pid	process	target process
PID 3060 wrote to memory of 1268	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	taskhost.exe
PID 3060 wrote to memory of 1348	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	Dwm.exe
PID 3060 wrote to memory of 1380	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	Explorer.EXE
PID 3060 wrote to memory of 1460	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	DllHost.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2580	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 3060 wrote to memory of 2668	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	icsys.icn.exe
PID 3060 wrote to memory of 2668	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	icsys.icn.exe
PID 3060 wrote to memory of 2668	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	icsys.icn.exe
PID 3060 wrote to memory of 2668	3060	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	icsys.icn.exe
PID 2668 wrote to memory of 2800	2668	icsys.icn.exe	explorer.exe
PID 2668 wrote to memory of 2800	2668	icsys.icn.exe	explorer.exe
PID 2668 wrote to memory of 2800	2668	icsys.icn.exe	explorer.exe
PID 2668 wrote to memory of 2800	2668	icsys.icn.exe	explorer.exe
PID 2800 wrote to memory of 2008	2800	explorer.exe	spoolsv.exe
PID 2800 wrote to memory of 2008	2800	explorer.exe	spoolsv.exe
PID 2800 wrote to memory of 2008	2800	explorer.exe	spoolsv.exe
PID 2800 wrote to memory of 2008	2800	explorer.exe	spoolsv.exe
PID 2008 wrote to memory of 2040	2008	spoolsv.exe	svchost.exe
PID 2008 wrote to memory of 2040	2008	spoolsv.exe	svchost.exe
PID 2008 wrote to memory of 2040	2008	spoolsv.exe	svchost.exe
PID 2008 wrote to memory of 2040	2008	spoolsv.exe	svchost.exe
PID 2040 wrote to memory of 2780	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2780	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2780	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 2780	2040	svchost.exe	spoolsv.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	at.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	at.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	at.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	at.exe
PID 2800 wrote to memory of 1268	2800	explorer.exe	taskhost.exe
PID 2800 wrote to memory of 1348	2800	explorer.exe	Dwm.exe
PID 2800 wrote to memory of 1380	2800	explorer.exe	Explorer.EXE
PID 2800 wrote to memory of 1460	2800	explorer.exe	DllHost.exe
PID 2800 wrote to memory of 2580	2800	explorer.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 2800 wrote to memory of 2580	2800	explorer.exe	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
PID 2800 wrote to memory of 2040	2800	explorer.exe	svchost.exe
PID 2800 wrote to memory of 2040	2800	explorer.exe	svchost.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2580 wrote to memory of 2664	2580	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2664 wrote to memory of 2600	2664	360TS_Setup.exe	360TS_Setup.exe
PID 2800 wrote to memory of 1268	2800	explorer.exe	taskhost.exe
PID 2800 wrote to memory of 1348	2800	explorer.exe	Dwm.exe
PID 2800 wrote to memory of 1380	2800	explorer.exe	Explorer.EXE
PID 2800 wrote to memory of 1460	2800	explorer.exe	DllHost.exe
PID 2800 wrote to memory of 2664	2800	explorer.exe	360TS_Setup.exe
PID 2800 wrote to memory of 2664	2800	explorer.exe	360TS_Setup.exe
PID 2800 wrote to memory of 2600	2800	explorer.exe	360TS_Setup.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1268

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
"C:\Users\Admin\AppData\Local\Temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3060

\??\c:\users\admin\appdata\local\temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
c:\users\admin\appdata\local\temp\89d8159f2b5c706c1ab897275d93455368b9bb5c496b94e9160ad29b6bfa5fff.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\appdata\local\temp\360TS_Setup.exe
"C:\Users\Admin\appdata\local\temp\360TS_Setup.exe" /c:101 /pmode:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files (x86)\1716345634_0\360TS_Setup.exe
"C:\Program Files (x86)\1716345634_0\360TS_Setup.exe" /c:101 /pmode:2 /TSinstall
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2600

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\at.exe
at 02:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:560

C:\Windows\SysWOW64\at.exe
at 02:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:2540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery