Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 23:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Resource
win7-20241010-en
windows7-x64
20 signatures
150 seconds
General
-
Target
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
-
Size
3.9MB
-
MD5
6791d78a1e416823fe4450d05ef9598e
-
SHA1
3d7842562b0e66cf88ab71a1fba7b482179bdc8c
-
SHA256
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf
-
SHA512
49a7cee20aebe106a9cefd9a129ebe81380b0648d89549f8a0eb5819fe12371b0259a55caae879d5327057b8cfd5e086c724becf38ea5d2154b2ffa7e56af50a
-
SSDEEP
98304:F1D7IVKqo6eTEgiYhuBBYYXomgviswVWNniUlPmnMOAPv:bIVKn6g3huXb7sAWIkUMOsv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Executes dropped EXE 1 IoCs
pid Process 2868 XW16Pro脱机烧录器远程客户端.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\I: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\M: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\P: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\S: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\T: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\X: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\J: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\L: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\U: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\V: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\W: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\E: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\G: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Q: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Z: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\H: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\K: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\N: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\O: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\R: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification F:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
resource yara_rule behavioral2/memory/1300-1-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-3-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-7-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-4-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-20-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-25-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-26-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-21-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-15-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-8-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-56-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-59-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-62-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-72-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-73-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-79-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-89-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-92-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-93-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-95-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-97-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-100-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-106-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-109-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-110-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-113-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-114-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-116-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-118-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-119-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-121-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-122-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-124-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-127-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-129-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-131-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-133-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-136-0x0000000000890000-0x000000000194A000-memory.dmp upx behavioral2/memory/1300-137-0x0000000000890000-0x000000000194A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e5795e7 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Windows\SYSTEM.INI 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XW16Pro脱机烧录器远程客户端.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 2868 XW16Pro脱机烧录器远程客户端.exe 2868 XW16Pro脱机烧录器远程客户端.exe 2868 XW16Pro脱机烧录器远程客户端.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1300 wrote to memory of 788 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1300 wrote to memory of 780 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1300 wrote to memory of 64 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1300 wrote to memory of 2652 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 44 PID 1300 wrote to memory of 2724 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 47 PID 1300 wrote to memory of 3040 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1300 wrote to memory of 3432 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1300 wrote to memory of 3544 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1300 wrote to memory of 3748 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1300 wrote to memory of 3844 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1300 wrote to memory of 3908 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1300 wrote to memory of 3992 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1300 wrote to memory of 3112 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1300 wrote to memory of 2096 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 75 PID 1300 wrote to memory of 4088 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1300 wrote to memory of 2932 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 83 PID 1300 wrote to memory of 2868 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1300 wrote to memory of 2868 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1300 wrote to memory of 2868 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1300 wrote to memory of 788 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1300 wrote to memory of 780 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1300 wrote to memory of 64 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1300 wrote to memory of 2652 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 44 PID 1300 wrote to memory of 2724 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 47 PID 1300 wrote to memory of 3040 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1300 wrote to memory of 3432 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1300 wrote to memory of 3544 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1300 wrote to memory of 3748 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1300 wrote to memory of 3844 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1300 wrote to memory of 3908 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1300 wrote to memory of 3992 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1300 wrote to memory of 3112 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1300 wrote to memory of 2096 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 75 PID 1300 wrote to memory of 4088 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1300 wrote to memory of 2932 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 83 PID 1300 wrote to memory of 2868 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1300 wrote to memory of 2868 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1300 wrote to memory of 788 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1300 wrote to memory of 780 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1300 wrote to memory of 64 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1300 wrote to memory of 2652 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 44 PID 1300 wrote to memory of 2724 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 47 PID 1300 wrote to memory of 3040 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1300 wrote to memory of 3432 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1300 wrote to memory of 3544 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1300 wrote to memory of 3748 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1300 wrote to memory of 3844 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1300 wrote to memory of 3908 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1300 wrote to memory of 3992 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1300 wrote to memory of 3112 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1300 wrote to memory of 2096 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 75 PID 1300 wrote to memory of 4088 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1300 wrote to memory of 788 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1300 wrote to memory of 780 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1300 wrote to memory of 64 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1300 wrote to memory of 2652 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 44 PID 1300 wrote to memory of 2724 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 47 PID 1300 wrote to memory of 3040 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1300 wrote to memory of 3432 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1300 wrote to memory of 3544 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1300 wrote to memory of 3748 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1300 wrote to memory of 3844 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1300 wrote to memory of 3908 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1300 wrote to memory of 3992 1300 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2724
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3544
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3112
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2096
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2932
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x51c1⤵PID:1856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57973F_Rar\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Filesize3.9MB
MD5c6058463577957e2c50a94720ca34707
SHA1c85e715fa73b6095bd472b5db9d2758751f82b0a
SHA256a72257bdfac70290f3189c75bec1038dd49158371bfdd0abcf02acaef6d38512
SHA5121d73cb782aa2e641d4c015d47ead0829ff51172b9deca7c22985f3478981d56fd725fa5407cd3777670e59a79426cb3bf51ec0c9e402ac624bcfcd06afc411a9
-
Filesize
3.4MB
MD54171d78edb20d86d7e083fe57a1bbe7f
SHA136ad3968a58c4fd08e3d4be3a5f2ee977af27990
SHA256acce2dfa6ce2ab67b5a278e2032127158f49dd3c211eda38d9623877029372f8
SHA512e1bb967edf56dee9f4071861e2e4d606de45904d2d1d4f9300481dd5544ca2155bf1668ab5e14227ee45b6e459afcfe1fffd2304d496f5164c907553d6c7fd38
-
Filesize
1KB
MD515c71546d8a6718390320cb8042d90d8
SHA187381fac0849f13a298acd62db5a045512631e75
SHA25695358b6d18b9220683efd944b0274f18744d2c7a7210986b620f3b32dc01edcc
SHA512b8d840e3cf83568ceede8f01ea780775b9f0148119da7e9935a864bd7a9f9d4ddd0147d26f36748fb53eb5e2fe43f95766710f39bb9699c21c729edafa77b385
-
Filesize
44KB
MD576921f77785ae8652e71cf4dfe8ad3f2
SHA170527be3c156ecba2dbedef9b0a18136614a3cd2
SHA25648fc3d23f28c8e20244c6394508a6dfb10aca92de1e048637d2a2d7ecf264609
SHA512a061f18f2c5a40315f0a710868735c9f5c390456d1f2931c4da21a287e46b658ea5017d6a5e9c4237d0b9a3bc99d54d69a5527d8bedba481066d8ed47b53911e
-
Filesize
97KB
MD5f4ad2e9b61e8a1b7df408aa82f2867d6
SHA1ce2861d54a9ac05cacb771c32b1d330ea516e904
SHA25607bc3d70788bc4c75d7ca3103a2ce45e9d739eea36d2e9560ee790adc414858c
SHA512952975310453f12cf496084d1c7c997b14037c64cf5a28dba105e77ab193a9f08cfd08c3cf0b06ead603d61b09b6a4661a408181dcce33ecc718a956243b6996