sality | cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69

Analysis

max time kernel
22s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Size

543KB
MD5

57a9cfd170d1e96b318f75fe008f8be0
SHA1

eed39956b07e83fb0b09e8237c1e20eb294eea68
SHA256

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69
SHA512

206f17c239ccd9a45bf6c5fdf8b6aa31975c644a03b6b82c80fa380a4fcf23d9c31f89829c0e51d9251d61d6b0f25ac9722b21568b36cc6fde3064435ceab28e
SSDEEP

6144:SVfjmNFBqBcLb+Vb3aZfhQuSZa5z42qGjZ32D+a48g4vKGggHSawol8Utv55DHtI:s7+b8cveb3aVhQxsURGIgLZ/csbEM/h

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Logo1_.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2724 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

pid process

2612 Logo1_.exe
2824 cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2724 cmd.exe

pid	process
2724	cmd.exe

pid	process
2724	cmd.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2824-30-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-36-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-35-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-43-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-44-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-76-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-45-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-83-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-82-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2824-84-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2612-118-0x0000000003000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2612-120-0x0000000003000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2612-102-0x0000000003000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2612-115-0x0000000003000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2612-106-0x0000000003000000-0x000000000408E000-memory.dmp	upx
behavioral1/memory/2612-203-0x0000000003000000-0x000000000408E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Windows directory 5 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File created	C:\Windows\Logo1_.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\SYSTEM.INI	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

pid	process
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe
2612	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	pid	process
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe
Token: SeDebugPrivilege	2612	Logo1_.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.execmd.exenet.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	pid	process	target process
PID 2184 wrote to memory of 2724	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2184 wrote to memory of 2724	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2184 wrote to memory of 2724	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2184 wrote to memory of 2724	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2184 wrote to memory of 2612	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2184 wrote to memory of 2612	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2184 wrote to memory of 2612	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2184 wrote to memory of 2612	2184	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2612 wrote to memory of 2744	2612	Logo1_.exe	net.exe
PID 2612 wrote to memory of 2744	2612	Logo1_.exe	net.exe
PID 2612 wrote to memory of 2744	2612	Logo1_.exe	net.exe
PID 2612 wrote to memory of 2744	2612	Logo1_.exe	net.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2724 wrote to memory of 2824	2724	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 2744 wrote to memory of 2604	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2604	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2604	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2604	2744	net.exe	net1.exe
PID 2824 wrote to memory of 1200	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	taskhost.exe
PID 2824 wrote to memory of 1284	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Dwm.exe
PID 2824 wrote to memory of 1344	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Explorer.EXE
PID 2824 wrote to memory of 1088	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	DllHost.exe
PID 2824 wrote to memory of 2724	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2824 wrote to memory of 2724	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 2824 wrote to memory of 2124	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	conhost.exe
PID 2824 wrote to memory of 2612	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2824 wrote to memory of 2612	2824	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2612 wrote to memory of 1344	2612	Logo1_.exe	Explorer.EXE
PID 2612 wrote to memory of 1344	2612	Logo1_.exe	Explorer.EXE
PID 2612 wrote to memory of 1200	2612	Logo1_.exe	taskhost.exe
PID 2612 wrote to memory of 1284	2612	Logo1_.exe	Dwm.exe
PID 2612 wrote to memory of 1344	2612	Logo1_.exe	Explorer.EXE
PID 2612 wrote to memory of 1200	2612	Logo1_.exe	taskhost.exe
PID 2612 wrote to memory of 1284	2612	Logo1_.exe	Dwm.exe
PID 2612 wrote to memory of 1344	2612	Logo1_.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
"C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6C4A.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
"C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2612

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1894533562614240063-1922815818-1109520226-1396617638236449302-8276077591527839937"
1⤵
PID:2124

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
533ce215a7c274602dc456ca375cef93

SHA1
76c502d7c45eca3fd96f6b04eb850e751bc785dd

SHA256
d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c

SHA512
09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6C4A.bat
Filesize
722B

MD5
470908d3f45811e5743ade571612f903

SHA1
07ec30b80d05c349ecb3bf75b8c7bffa6a451fc5

SHA256
cc52dab6d5f5d2218175d35eedfe3f01c66d820656566e50842add91805c0bcd

SHA512
38c8a636db52cf41e8ba0ac22ea0b86babbeddb3838cb92bfac00e41568a6f8c1cc09a4b433f7ee97181923656890b8f3edd82547d72ba6dafe22df5b81c8e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F766F85_Rar\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Filesize
444KB

MD5
1108b166160d6023af76435b074052b6

SHA1
7538372af2b7dc03f908a94cba7d046d301c805e

SHA256
52b032521b4cd24a4268472bcff3be42fd8166a5cc5993b89f79575aa0279666

SHA512
f12dea253197375dbbe06d9c51d4016abdbe4f8f5cdd756880e53c211412ae19a2d23f2cc8cd0c39b6b2675cc4085d64070569c23e7c411b859dca073973797b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe.exe
Filesize
516KB

MD5
8b1ebb25da592427b043652c2501021c

SHA1
20e55256c933abf2343ee54037e75dc3c5164304

SHA256
e4a3b471b7719161ed4c95fb8d9fc4fab7fba2d2fea4e3f579b1da981c091374

SHA512
2380c8af8e10d983506d3ec963d66a9349120164d8f9723fb3aeec7dbb6a5419e3c2870d7d8ebbe906f05d9a83aa987fe9e1045f4b5f9657c0d4dab7b127df6f

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
c5a8312f88f1dcec47a28264ae54f6f1

SHA1
64b1bde76a151fc4ebd09ed44a8e2e6aec6ec219

SHA256
dff8ca68a4330213bc89e130f3794f13c27adf85c297d98f184e563103a2800d

SHA512
110992a0170f7fa7f43a5f1af26cc2409a78df1f18904275c008c0546230a2ce11477aa14f864be20223144770808eed8f488fef1005b5045f1c764d1ac769a2

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
60bbf3feb1430d9d93ebea66e816d22f

SHA1
345af1254458e2b94c27497b33f2979badaf0104

SHA256
feb25efa7c1eaf9b2c4fc925f1c00dc7dd6048933f13dd225672b3992de8cfc4

SHA512
a40f708f2682b4e8e1d38bcbebb74e586a083d70f8cbb1f99382e4507c59c8b0cc495bd00bc23c3d57569dfa56e8d09cd2fcf5460dcec048a3823cb87ed55c30

Download Submit
C:\hdsm.exe
Filesize
100KB

MD5
71fbfae6f983c53fc5d5812572cd2d62

SHA1
adc11315bcde0f409cf0c00fa426cf7ace3c569f

SHA256
f3c993493b48db5c22050566a41edff3afcd1d0301a7738735ccce5b79061663

SHA512
604850e16bc141eb3e021dabe943084aa32cf03774a0c29879ec522be66e2488d626fa26fc05c67955dfb4a6af32a4b502efef5f5aebe851bcfc01e47e4165c8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini
Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/1200-46-0x0000000001C40000-0x0000000001C42000-memory.dmp

Filesize
8KB

Download
memory/2184-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-118-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2612-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-74-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2612-75-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2612-203-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2612-157-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2612-106-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2612-115-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2612-102-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2612-71-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2612-120-0x0000000003000000-0x000000000408E000-memory.dmp

Filesize
16.6MB

Download
memory/2724-72-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2724-55-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2724-53-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2724-70-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2724-27-0x0000000000470000-0x00000000004F2000-memory.dmp

Filesize
520KB

Download
memory/2724-54-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-44-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-78-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2824-84-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-35-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-45-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-82-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-77-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2824-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2824-36-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-30-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-76-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2824-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2824-83-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download
memory/2824-43-0x0000000001E00000-0x0000000002E8E000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads