sality | 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Size

1.0MB
MD5

9a1c42042be407c78e3f1ff570a390a7
SHA1

0a44e081d37310cf72f0a86464107a7c402a1b1f
SHA256

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f
SHA512

78b4dbed8490404140dc1dc3e3ef4667e7c81b0dfcd2d82f5e8428788406a924e04ee015928430d7d5c075cae356266cf73628e51063285306bc350e72a58534
SSDEEP

24576:l7H7f78khm7l72B2J797fqZ7f9HCrO0fmbGD4uz/cFDy:l7H7f7857l72BQ797y71HCrc/uzEo

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2556 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

pid process

2580 Logo1_.exe
2468 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
2844 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

2556 cmd.exe
2556 cmd.exe
2400 cmd.exe
2400 cmd.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2468-33-0x0000000000610000-0x000000000169E000-memory.dmp upx
behavioral1/memory/2468-46-0x0000000000610000-0x000000000169E000-memory.dmp upx

pid	process
2556	cmd.exe

pid	process
2580	Logo1_.exe
2468	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
2844	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

pid	process
2556	cmd.exe
2556	cmd.exe
2400	cmd.exe
2400	cmd.exe

resource	yara_rule
behavioral1/memory/2468-33-0x0000000000610000-0x000000000169E000-memory.dmp	upx
behavioral1/memory/2468-46-0x0000000000610000-0x000000000169E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

Processes:

Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File created	C:\Windows\Logo1_.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\rundl132.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File created	C:\Windows\Logo1_.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid process

2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe
2580 Logo1_.exe

pid	process
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exeLogo1_.execmd.exenet.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.execmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 2556	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2552 wrote to memory of 2556	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2552 wrote to memory of 2556	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2552 wrote to memory of 2556	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2552 wrote to memory of 2580	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 2552 wrote to memory of 2580	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 2552 wrote to memory of 2580	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 2552 wrote to memory of 2580	2552	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 2580 wrote to memory of 2876	2580	Logo1_.exe	net.exe
PID 2580 wrote to memory of 2876	2580	Logo1_.exe	net.exe
PID 2580 wrote to memory of 2876	2580	Logo1_.exe	net.exe
PID 2580 wrote to memory of 2876	2580	Logo1_.exe	net.exe
PID 2556 wrote to memory of 2468	2556	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2556 wrote to memory of 2468	2556	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2556 wrote to memory of 2468	2556	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2556 wrote to memory of 2468	2556	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2876 wrote to memory of 2504	2876	net.exe	net1.exe
PID 2876 wrote to memory of 2504	2876	net.exe	net1.exe
PID 2876 wrote to memory of 2504	2876	net.exe	net1.exe
PID 2876 wrote to memory of 2504	2876	net.exe	net1.exe
PID 2468 wrote to memory of 2400	2468	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2468 wrote to memory of 2400	2468	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2468 wrote to memory of 2400	2468	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2468 wrote to memory of 2400	2468	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 2400 wrote to memory of 2844	2400	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2400 wrote to memory of 2844	2400	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2400 wrote to memory of 2844	2400	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2400 wrote to memory of 2844	2400	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2580 wrote to memory of 1092	2580	Logo1_.exe	Explorer.EXE
PID 2580 wrote to memory of 1092	2580	Logo1_.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11DC.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a12E5.bat
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
6⤵
- Executes dropped EXE
PID:2844

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2504

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
0b02dfc1b962c1df256edd0052bc5139

SHA1
d54d2df2f257aa6d97ad85eec6d7d4220e106fa3

SHA256
af941ea3805324883d0945a55f06f88a84848281b7e2a032618bd85be6983adb

SHA512
c420baa3414fce1f4604b636d05bf803d816529cfd78d00f48a7ed875822fc36157bf5bbccef6fd93bab3e98491c7985f3cfdf61985f9e4e407310aa7757e289

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a11DC.bat
Filesize
722B

MD5
06858f109614fb5daf4d9ad62dcdd371

SHA1
be7bc184ccc152cbe76eb71388a3cf4593f47ef6

SHA256
68234be91f767782237eab025db4fe88c3f36f3fb1a23ea3c1c777b6525f3ae5

SHA512
ea819c62cf28757be892a4868eec20127328b3c6a780a52a214397ccc6d6d2b46804e39ea3e996f5f7be4cbf80f16d8debd3d47db8518ce70a611d30661bf981

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a12E5.bat
Filesize
722B

MD5
ed474c67103100a4c2f3a30bea981a84

SHA1
2d2aba1ba649075023e3da9ccccb5350c13e628e

SHA256
71fa076e851d85c3599c55d082e020fcfbc4485983d3a886b9759bf26a444533

SHA512
1cd5343c2500044a243d3d083012e464d57d09e99a9f500c9950e139200517ae89d15f3e60293b8a8d86cac7aeb246720ad52c74cbb786fe9e63cc999e5b72c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exe
Filesize
981KB

MD5
6f8aac91731edf732fe02b457eded4da

SHA1
6b1ad7be49671e42c5cb2c2f477260755f3a12e3

SHA256
69ce9375840715b47d1cfdfa281ce51c5fe5890f980a76ff2d5c1926596486e2

SHA512
da6dc0e7fab669f7f77b8f5542c6ca25a736bcc1f028136cf1a739c40a744be4b3a746ce623fb27cc7dd13d7220923033597c1687796a4e68d061ca00a939509

Download Submit
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exe
Filesize
1008KB

MD5
47239e98f567a255ad59a52ece290642

SHA1
0aae5976179fce9f3a436e7add255aeaeb5df1bc

SHA256
e78d3ba5ce7661ec118c426e03a5c4447f36779bfa63cad80499bd0b4f2cf0dd

SHA512
48598e106df1b69a6e7dd282a37640ea1496ae67d7ddd3f89bcab07ec81ddda0cc6f95bc681fdcb502fe7c2e83c86e59f8b5f83bb008cd3fb91d62a0899dea9f

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
cbf2e5f5ea26c76bc9bfaa9f3f3b645c

SHA1
7a9a99cb59c1f79b2eb5f7c6094dc8e05c7a6ca1

SHA256
9d8e85c12fc228fc9dff2547d4a61d07ef9ecc13a6d941d9f0bbd275be2df458

SHA512
92f3da9c690400d880355e186a8595c68a7b541fdd37e4f5683741452827e177fefbc501492d29edf9c82ef6de1ebb6673da962722d56040100a08a56a8a4f63

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
8408aba27de545e1657225a6b99a0386

SHA1
e50d7733353091e794a117a5f32d95893e43ffda

SHA256
aea3e315fdbfa4bdad906172f8897d5622ca865aed85453b58e778bc1660d2d9

SHA512
fdb3486e70aa28cea0e28f704e571160b96c60be91167fcaff87e9aa05a250a279ef95d2857a401b400cb97c76a8a224fff2b8e9db746bc9f3a0ffbf832224a1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/1092-56-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2400-52-0x00000000003C0000-0x0000000000407000-memory.dmp

Filesize
284KB

Download
memory/2400-53-0x00000000003C0000-0x0000000000407000-memory.dmp

Filesize
284KB

Download
memory/2468-31-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2468-46-0x0000000000610000-0x000000000169E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-45-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2468-33-0x0000000000610000-0x000000000169E000-memory.dmp

Filesize
16.6MB

Download
memory/2552-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-30-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2556-29-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2580-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-1877-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-3337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-54-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads