Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Resource
win7-20241023-en
windows7-x64
20 signatures
150 seconds
General
-
Target
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
-
Size
3.9MB
-
MD5
6791d78a1e416823fe4450d05ef9598e
-
SHA1
3d7842562b0e66cf88ab71a1fba7b482179bdc8c
-
SHA256
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf
-
SHA512
49a7cee20aebe106a9cefd9a129ebe81380b0648d89549f8a0eb5819fe12371b0259a55caae879d5327057b8cfd5e086c724becf38ea5d2154b2ffa7e56af50a
-
SSDEEP
98304:F1D7IVKqo6eTEgiYhuBBYYXomgviswVWNniUlPmnMOAPv:bIVKn6g3huXb7sAWIkUMOsv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Executes dropped EXE 1 IoCs
pid Process 2656 XW16Pro脱机烧录器远程客户端.exe -
Loads dropped DLL 4 IoCs
pid Process 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\J: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\L: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\M: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Q: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\V: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\I: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\P: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\T: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\W: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\X: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\E: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\N: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\O: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\R: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Y: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\G: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\K: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\S: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\U: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Z: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification F:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
resource yara_rule behavioral1/memory/1548-5-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-7-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-9-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-14-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-8-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-6-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-4-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-20-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-3-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-13-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-66-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-67-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-74-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-77-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-78-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-86-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-87-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-90-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-93-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-94-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-119-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-120-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx behavioral1/memory/1548-124-0x00000000009F0000-0x0000000001AAA000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f76bdc3 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Windows\SYSTEM.INI 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XW16Pro脱机烧录器远程客户端.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 2656 XW16Pro脱机烧录器远程客户端.exe 2656 XW16Pro脱机烧录器远程客户端.exe 2656 XW16Pro脱机烧录器远程客户端.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 2656 XW16Pro脱机烧录器远程客户端.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 2656 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 30 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 PID 1548 wrote to memory of 1040 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 17 PID 1548 wrote to memory of 1064 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 18 PID 1548 wrote to memory of 1128 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 20 PID 1548 wrote to memory of 2004 1548 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1040
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76BE02_Rar\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Filesize3.9MB
MD5c6058463577957e2c50a94720ca34707
SHA1c85e715fa73b6095bd472b5db9d2758751f82b0a
SHA256a72257bdfac70290f3189c75bec1038dd49158371bfdd0abcf02acaef6d38512
SHA5121d73cb782aa2e641d4c015d47ead0829ff51172b9deca7c22985f3478981d56fd725fa5407cd3777670e59a79426cb3bf51ec0c9e402ac624bcfcd06afc411a9
-
Filesize
1KB
MD515c71546d8a6718390320cb8042d90d8
SHA187381fac0849f13a298acd62db5a045512631e75
SHA25695358b6d18b9220683efd944b0274f18744d2c7a7210986b620f3b32dc01edcc
SHA512b8d840e3cf83568ceede8f01ea780775b9f0148119da7e9935a864bd7a9f9d4ddd0147d26f36748fb53eb5e2fe43f95766710f39bb9699c21c729edafa77b385
-
Filesize
44KB
MD576921f77785ae8652e71cf4dfe8ad3f2
SHA170527be3c156ecba2dbedef9b0a18136614a3cd2
SHA25648fc3d23f28c8e20244c6394508a6dfb10aca92de1e048637d2a2d7ecf264609
SHA512a061f18f2c5a40315f0a710868735c9f5c390456d1f2931c4da21a287e46b658ea5017d6a5e9c4237d0b9a3bc99d54d69a5527d8bedba481066d8ed47b53911e
-
Filesize
97KB
MD5fd11a2ec935366690087e2c945ad18cf
SHA1b49c402803864695cf79e2ef973727ebdd034427
SHA256b9ef37994cb3b28b4a8269a12374da74cf0cc0630f55891c91981db1a3530717
SHA51212b5f8519bccfd7cc69902ac64d55c9fa1885ea73745491bed1f7c468df4b4bb8d18ce188a2d217db7ffe2bc555f87332409e543ce2e49e559243d4f962ad655
-
Filesize
3.4MB
MD54171d78edb20d86d7e083fe57a1bbe7f
SHA136ad3968a58c4fd08e3d4be3a5f2ee977af27990
SHA256acce2dfa6ce2ab67b5a278e2032127158f49dd3c211eda38d9623877029372f8
SHA512e1bb967edf56dee9f4071861e2e4d606de45904d2d1d4f9300481dd5544ca2155bf1668ab5e14227ee45b6e459afcfe1fffd2304d496f5164c907553d6c7fd38