Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Resource
win7-20241023-en
windows7-x64
20 signatures
150 seconds
General
-
Target
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
-
Size
3.9MB
-
MD5
6791d78a1e416823fe4450d05ef9598e
-
SHA1
3d7842562b0e66cf88ab71a1fba7b482179bdc8c
-
SHA256
7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf
-
SHA512
49a7cee20aebe106a9cefd9a129ebe81380b0648d89549f8a0eb5819fe12371b0259a55caae879d5327057b8cfd5e086c724becf38ea5d2154b2ffa7e56af50a
-
SSDEEP
98304:F1D7IVKqo6eTEgiYhuBBYYXomgviswVWNniUlPmnMOAPv:bIVKn6g3huXb7sAWIkUMOsv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Executes dropped EXE 1 IoCs
pid Process 5052 XW16Pro脱机烧录器远程客户端.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\I: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\J: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\K: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\P: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\S: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\T: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\E: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\L: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Q: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\U: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Z: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\H: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\Y: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\X: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\G: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\M: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\N: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\O: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\R: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened (read-only) \??\V: 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification F:\autorun.inf 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
resource yara_rule behavioral2/memory/1996-1-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-3-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-5-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-7-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-25-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-26-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-27-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-21-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-19-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-4-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-56-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-57-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-63-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-66-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-68-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-84-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-85-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-86-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-89-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-90-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-96-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-98-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-102-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-103-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-106-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-107-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-113-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-115-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-116-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-117-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-119-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-120-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-123-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-124-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-127-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-129-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-132-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-133-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/1996-135-0x0000000000870000-0x000000000192A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe File created C:\Windows\e578443 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XW16Pro脱机烧录器远程客户端.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 5052 XW16Pro脱机烧录器远程客户端.exe 5052 XW16Pro脱机烧录器远程客户端.exe 5052 XW16Pro脱机烧录器远程客户端.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe Token: SeDebugPrivilege 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 796 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1996 wrote to memory of 800 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1996 wrote to memory of 384 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1996 wrote to memory of 2808 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 49 PID 1996 wrote to memory of 2864 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 50 PID 1996 wrote to memory of 2984 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1996 wrote to memory of 3416 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1996 wrote to memory of 3564 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1996 wrote to memory of 3752 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1996 wrote to memory of 3840 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1996 wrote to memory of 3908 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1996 wrote to memory of 3992 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1996 wrote to memory of 4176 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1996 wrote to memory of 700 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 74 PID 1996 wrote to memory of 2612 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1996 wrote to memory of 3640 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 77 PID 1996 wrote to memory of 2272 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 78 PID 1996 wrote to memory of 1284 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 83 PID 1996 wrote to memory of 5052 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1996 wrote to memory of 5052 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1996 wrote to memory of 5052 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1996 wrote to memory of 796 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1996 wrote to memory of 800 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1996 wrote to memory of 384 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1996 wrote to memory of 2808 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 49 PID 1996 wrote to memory of 2864 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 50 PID 1996 wrote to memory of 2984 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1996 wrote to memory of 3416 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1996 wrote to memory of 3564 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1996 wrote to memory of 3752 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1996 wrote to memory of 3840 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1996 wrote to memory of 3908 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1996 wrote to memory of 3992 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1996 wrote to memory of 4176 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1996 wrote to memory of 700 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 74 PID 1996 wrote to memory of 2612 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1996 wrote to memory of 5052 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1996 wrote to memory of 5052 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 85 PID 1996 wrote to memory of 796 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1996 wrote to memory of 800 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1996 wrote to memory of 384 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1996 wrote to memory of 2808 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 49 PID 1996 wrote to memory of 2864 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 50 PID 1996 wrote to memory of 2984 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1996 wrote to memory of 3416 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1996 wrote to memory of 3564 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1996 wrote to memory of 3752 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1996 wrote to memory of 3840 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1996 wrote to memory of 3908 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 PID 1996 wrote to memory of 3992 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 61 PID 1996 wrote to memory of 4176 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 62 PID 1996 wrote to memory of 700 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 74 PID 1996 wrote to memory of 2612 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 76 PID 1996 wrote to memory of 796 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 9 PID 1996 wrote to memory of 800 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 10 PID 1996 wrote to memory of 384 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 13 PID 1996 wrote to memory of 2808 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 49 PID 1996 wrote to memory of 2864 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 50 PID 1996 wrote to memory of 2984 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 51 PID 1996 wrote to memory of 3416 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 56 PID 1996 wrote to memory of 3564 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 57 PID 1996 wrote to memory of 3752 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 58 PID 1996 wrote to memory of 3840 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 59 PID 1996 wrote to memory of 3908 1996 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe 60 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2864
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2984
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"C:\Users\Admin\AppData\Local\Temp\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XW16Pro脱机烧录器远程客户端.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2612
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2272
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1284
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2dc 0x3101⤵PID:3028
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E57859B_Rar\7265321baae43182835066d9ab5a90a5efa1b7a0cb92f106f36429bf1e8371bf.exe
Filesize3.9MB
MD5c6058463577957e2c50a94720ca34707
SHA1c85e715fa73b6095bd472b5db9d2758751f82b0a
SHA256a72257bdfac70290f3189c75bec1038dd49158371bfdd0abcf02acaef6d38512
SHA5121d73cb782aa2e641d4c015d47ead0829ff51172b9deca7c22985f3478981d56fd725fa5407cd3777670e59a79426cb3bf51ec0c9e402ac624bcfcd06afc411a9
-
Filesize
3.4MB
MD54171d78edb20d86d7e083fe57a1bbe7f
SHA136ad3968a58c4fd08e3d4be3a5f2ee977af27990
SHA256acce2dfa6ce2ab67b5a278e2032127158f49dd3c211eda38d9623877029372f8
SHA512e1bb967edf56dee9f4071861e2e4d606de45904d2d1d4f9300481dd5544ca2155bf1668ab5e14227ee45b6e459afcfe1fffd2304d496f5164c907553d6c7fd38
-
Filesize
1KB
MD515c71546d8a6718390320cb8042d90d8
SHA187381fac0849f13a298acd62db5a045512631e75
SHA25695358b6d18b9220683efd944b0274f18744d2c7a7210986b620f3b32dc01edcc
SHA512b8d840e3cf83568ceede8f01ea780775b9f0148119da7e9935a864bd7a9f9d4ddd0147d26f36748fb53eb5e2fe43f95766710f39bb9699c21c729edafa77b385
-
Filesize
44KB
MD576921f77785ae8652e71cf4dfe8ad3f2
SHA170527be3c156ecba2dbedef9b0a18136614a3cd2
SHA25648fc3d23f28c8e20244c6394508a6dfb10aca92de1e048637d2a2d7ecf264609
SHA512a061f18f2c5a40315f0a710868735c9f5c390456d1f2931c4da21a287e46b658ea5017d6a5e9c4237d0b9a3bc99d54d69a5527d8bedba481066d8ed47b53911e
-
Filesize
97KB
MD5ecce2b10a7b3b1a29d80633c105634c3
SHA1c242e5798cea38eed845bb8acf39a56bcd144a0d
SHA2561c73c5f2467f1caf932e0cb2fc25bceea91fbfb26b19679a8f07f9dda0c6f21a
SHA512136c5b0e96c2e5a2be923a8f918756277d4835f7867ea81c241c2bc0a5f5cb6238054cc649ffddcaae9d34d75a737cb2e1df479d08d8f8e954229cc4bea67d11