Overview
overview
10Static
static
3-°¦n+¦++.exe
windows7-x64
1-°¦n+¦++.exe
windows10-2004-x64
1PC远控测试-.exe
windows7-x64
1PC远控测试-.exe
windows10-2004-x64
3vip文件�...��.exe
windows7-x64
10vip文件�...��.exe
windows10-2004-x64
10菲律宾�...P4.exe
windows7-x64
6菲律宾�...P4.exe
windows10-2004-x64
6远程控�...2).exe
windows7-x64
3远程控�...2).exe
windows10-2004-x64
3远程控�...2).exe
windows7-x64
3远程控�...2).exe
windows10-2004-x64
3远程控�...�-.exe
windows7-x64
3远程控�...�-.exe
windows10-2004-x64
3远程控�...�-.exe
windows7-x64
3远程控�...�-.exe
windows10-2004-x64
3钱包收�...2).exe
windows7-x64
3钱包收�...2).exe
windows10-2004-x64
3钱包收�...�-.exe
windows7-x64
3钱包收�...�-.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 21:27
Behavioral task
behavioral1
Sample
-°¦n+¦++.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
-°¦n+¦++.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
PC远控测试-.exe
Resource
win7-20240729-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
PC远控测试-.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
vip文件捆绑器.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral6
Sample
vip文件捆绑器.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral7
Sample
菲律宾王小柔疫情期间宾馆做爱视频流出.MP4.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral8
Sample
菲律宾王小柔疫情期间宾馆做爱视频流出.MP4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral9
Sample
远程控制 测试- (2).exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral10
Sample
远程控制 测试- (2).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral11
Sample
远程控制 测试- (2).exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral12
Sample
远程控制 测试- (2).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral13
Sample
远程控制 测试-.exe
Resource
win7-20240729-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral14
Sample
远程控制 测试-.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral15
Sample
远程控制 测试-.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral16
Sample
远程控制 测试-.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral17
Sample
钱包收款地址强制更改器- (2).exe
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral18
Sample
钱包收款地址强制更改器- (2).exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral19
Sample
钱包收款地址强制更改器-.exe
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral20
Sample
钱包收款地址强制更改器-.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
vip文件捆绑器.exe
-
Size
1.4MB
-
MD5
234673b74b8cf63fd7632fd016d5bf97
-
SHA1
b8879f89fb52c9a28adf6cb7a76fc4153a9ee498
-
SHA256
4f60677b90c4ef6a130b8df6ecacce77b8a3c10e2a38d9e76b03b169ae83f4cd
-
SHA512
5994c95447a37afae559dd4846b8ca9af4e6dd6450145d3201ecc66cfd0377b61bbc47a454f6934e08fe2bc1c64b5ed8705e2006542e8029cdd5ae7551107b13
-
SSDEEP
24576:89BQEqTGgNnJhiK54h0IvBkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKn0RbpaoG8vn+Q:83XgtJhT9IvBsvD/DX+y4onCYDoDlNao
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" vip文件捆绑器.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vip文件捆绑器.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vip文件捆绑器.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" vip文件捆绑器.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" vip文件捆绑器.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vip文件捆绑器.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vip文件捆绑器.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vip文件捆绑器.exe -
resource yara_rule behavioral6/memory/1848-3-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-4-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-8-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-7-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-6-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-13-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-14-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-15-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-5-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-17-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-16-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-18-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-19-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-21-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-22-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-24-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-25-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-27-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-30-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-31-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-34-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-36-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-38-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-40-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-42-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-44-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-46-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-49-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-51-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-52-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-54-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-57-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-64-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-65-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-69-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-70-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-71-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral6/memory/1848-73-0x0000000002550000-0x00000000035DE000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe vip文件捆绑器.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe vip文件捆绑器.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI vip文件捆绑器.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vip文件捆绑器.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe Token: SeDebugPrivilege 1848 vip文件捆绑器.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1848 vip文件捆绑器.exe 1848 vip文件捆绑器.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 800 1848 vip文件捆绑器.exe 9 PID 1848 wrote to memory of 804 1848 vip文件捆绑器.exe 10 PID 1848 wrote to memory of 316 1848 vip文件捆绑器.exe 13 PID 1848 wrote to memory of 2832 1848 vip文件捆绑器.exe 49 PID 1848 wrote to memory of 3004 1848 vip文件捆绑器.exe 50 PID 1848 wrote to memory of 1964 1848 vip文件捆绑器.exe 52 PID 1848 wrote to memory of 3444 1848 vip文件捆绑器.exe 56 PID 1848 wrote to memory of 3568 1848 vip文件捆绑器.exe 57 PID 1848 wrote to memory of 3756 1848 vip文件捆绑器.exe 58 PID 1848 wrote to memory of 3840 1848 vip文件捆绑器.exe 59 PID 1848 wrote to memory of 3940 1848 vip文件捆绑器.exe 60 PID 1848 wrote to memory of 4028 1848 vip文件捆绑器.exe 61 PID 1848 wrote to memory of 2296 1848 vip文件捆绑器.exe 62 PID 1848 wrote to memory of 4436 1848 vip文件捆绑器.exe 74 PID 1848 wrote to memory of 3608 1848 vip文件捆绑器.exe 76 PID 1848 wrote to memory of 400 1848 vip文件捆绑器.exe 81 PID 1848 wrote to memory of 800 1848 vip文件捆绑器.exe 9 PID 1848 wrote to memory of 804 1848 vip文件捆绑器.exe 10 PID 1848 wrote to memory of 316 1848 vip文件捆绑器.exe 13 PID 1848 wrote to memory of 2832 1848 vip文件捆绑器.exe 49 PID 1848 wrote to memory of 3004 1848 vip文件捆绑器.exe 50 PID 1848 wrote to memory of 1964 1848 vip文件捆绑器.exe 52 PID 1848 wrote to memory of 3444 1848 vip文件捆绑器.exe 56 PID 1848 wrote to memory of 3568 1848 vip文件捆绑器.exe 57 PID 1848 wrote to memory of 3756 1848 vip文件捆绑器.exe 58 PID 1848 wrote to memory of 3840 1848 vip文件捆绑器.exe 59 PID 1848 wrote to memory of 3940 1848 vip文件捆绑器.exe 60 PID 1848 wrote to memory of 4028 1848 vip文件捆绑器.exe 61 PID 1848 wrote to memory of 2296 1848 vip文件捆绑器.exe 62 PID 1848 wrote to memory of 4436 1848 vip文件捆绑器.exe 74 PID 1848 wrote to memory of 3608 1848 vip文件捆绑器.exe 76 PID 1848 wrote to memory of 800 1848 vip文件捆绑器.exe 9 PID 1848 wrote to memory of 804 1848 vip文件捆绑器.exe 10 PID 1848 wrote to memory of 316 1848 vip文件捆绑器.exe 13 PID 1848 wrote to memory of 2832 1848 vip文件捆绑器.exe 49 PID 1848 wrote to memory of 3004 1848 vip文件捆绑器.exe 50 PID 1848 wrote to memory of 1964 1848 vip文件捆绑器.exe 52 PID 1848 wrote to memory of 3444 1848 vip文件捆绑器.exe 56 PID 1848 wrote to memory of 3568 1848 vip文件捆绑器.exe 57 PID 1848 wrote to memory of 3756 1848 vip文件捆绑器.exe 58 PID 1848 wrote to memory of 3840 1848 vip文件捆绑器.exe 59 PID 1848 wrote to memory of 3940 1848 vip文件捆绑器.exe 60 PID 1848 wrote to memory of 4028 1848 vip文件捆绑器.exe 61 PID 1848 wrote to memory of 2296 1848 vip文件捆绑器.exe 62 PID 1848 wrote to memory of 4436 1848 vip文件捆绑器.exe 74 PID 1848 wrote to memory of 3608 1848 vip文件捆绑器.exe 76 PID 1848 wrote to memory of 800 1848 vip文件捆绑器.exe 9 PID 1848 wrote to memory of 804 1848 vip文件捆绑器.exe 10 PID 1848 wrote to memory of 316 1848 vip文件捆绑器.exe 13 PID 1848 wrote to memory of 2832 1848 vip文件捆绑器.exe 49 PID 1848 wrote to memory of 3004 1848 vip文件捆绑器.exe 50 PID 1848 wrote to memory of 1964 1848 vip文件捆绑器.exe 52 PID 1848 wrote to memory of 3444 1848 vip文件捆绑器.exe 56 PID 1848 wrote to memory of 3568 1848 vip文件捆绑器.exe 57 PID 1848 wrote to memory of 3756 1848 vip文件捆绑器.exe 58 PID 1848 wrote to memory of 3840 1848 vip文件捆绑器.exe 59 PID 1848 wrote to memory of 3940 1848 vip文件捆绑器.exe 60 PID 1848 wrote to memory of 4028 1848 vip文件捆绑器.exe 61 PID 1848 wrote to memory of 2296 1848 vip文件捆绑器.exe 62 PID 1848 wrote to memory of 4436 1848 vip文件捆绑器.exe 74 PID 1848 wrote to memory of 3608 1848 vip文件捆绑器.exe 76 PID 1848 wrote to memory of 800 1848 vip文件捆绑器.exe 9 PID 1848 wrote to memory of 804 1848 vip文件捆绑器.exe 10 PID 1848 wrote to memory of 316 1848 vip文件捆绑器.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vip文件捆绑器.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3004
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\vip文件捆绑器.exe"C:\Users\Admin\AppData\Local\Temp\vip文件捆绑器.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2296
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:400
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5