Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Resource
win7-20240220-en
General
-
Target
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
-
Size
1.0MB
-
MD5
9a1c42042be407c78e3f1ff570a390a7
-
SHA1
0a44e081d37310cf72f0a86464107a7c402a1b1f
-
SHA256
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f
-
SHA512
78b4dbed8490404140dc1dc3e3ef4667e7c81b0dfcd2d82f5e8428788406a924e04ee015928430d7d5c075cae356266cf73628e51063285306bc350e72a58534
-
SSDEEP
24576:l7H7f78khm7l72B2J797fqZ7f9HCrO0fmbGD4uz/cFDy:l7H7f7857l72BQ797y71HCrc/uzEo
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Executes dropped EXE 3 IoCs
Processes:
Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exepid process 2116 Logo1_.exe 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe 3024 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Processes:
resource yara_rule behavioral2/memory/3596-21-0x0000000000760000-0x00000000017EE000-memory.dmp upx behavioral2/memory/3596-23-0x0000000000760000-0x00000000017EE000-memory.dmp upx behavioral2/memory/3596-29-0x0000000000760000-0x00000000017EE000-memory.dmp upx behavioral2/memory/3596-30-0x0000000000760000-0x00000000017EE000-memory.dmp upx behavioral2/memory/3596-32-0x0000000000760000-0x00000000017EE000-memory.dmp upx -
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini Logo1_.exe -
Drops file in Windows directory 7 IoCs
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exeLogo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process File opened for modification C:\Windows\rundl132.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe File created C:\Windows\Logo1_.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe File created C:\Windows\Logo1_.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File opened for modification C:\Windows\SYSTEM.INI 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exepid process 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription pid process Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Token: SeDebugPrivilege 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exeLogo1_.exenet.execmd.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.execmd.exedescription pid process target process PID 4592 wrote to memory of 2404 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 4592 wrote to memory of 2404 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 4592 wrote to memory of 2404 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 4592 wrote to memory of 2116 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Logo1_.exe PID 4592 wrote to memory of 2116 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Logo1_.exe PID 4592 wrote to memory of 2116 4592 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe Logo1_.exe PID 2116 wrote to memory of 2100 2116 Logo1_.exe net.exe PID 2116 wrote to memory of 2100 2116 Logo1_.exe net.exe PID 2116 wrote to memory of 2100 2116 Logo1_.exe net.exe PID 2100 wrote to memory of 2844 2100 net.exe net1.exe PID 2100 wrote to memory of 2844 2100 net.exe net1.exe PID 2100 wrote to memory of 2844 2100 net.exe net1.exe PID 2404 wrote to memory of 3596 2404 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 2404 wrote to memory of 3596 2404 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 2404 wrote to memory of 3596 2404 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 3596 wrote to memory of 776 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe fontdrvhost.exe PID 3596 wrote to memory of 784 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe fontdrvhost.exe PID 3596 wrote to memory of 316 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe dwm.exe PID 3596 wrote to memory of 2788 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe sihost.exe PID 3596 wrote to memory of 2808 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe svchost.exe PID 3596 wrote to memory of 1260 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 3596 wrote to memory of 1260 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 3596 wrote to memory of 1260 3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe cmd.exe PID 1260 wrote to memory of 3024 1260 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 1260 wrote to memory of 3024 1260 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 1260 wrote to memory of 3024 1260 cmd.exe 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe PID 2116 wrote to memory of 3420 2116 Logo1_.exe Explorer.EXE PID 2116 wrote to memory of 3420 2116 Logo1_.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4304.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44BA.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"6⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
251KB
MD50b02dfc1b962c1df256edd0052bc5139
SHA1d54d2df2f257aa6d97ad85eec6d7d4220e106fa3
SHA256af941ea3805324883d0945a55f06f88a84848281b7e2a032618bd85be6983adb
SHA512c420baa3414fce1f4604b636d05bf803d816529cfd78d00f48a7ed875822fc36157bf5bbccef6fd93bab3e98491c7985f3cfdf61985f9e4e407310aa7757e289
-
C:\Program Files\7-Zip\7z.exeFilesize
570KB
MD57302c943350f08b7983b56011dfebfff
SHA13fedfd2ebaf04b09635a218f230726e64d258a91
SHA256a2e2b505debc071b445ca0cefe611a367a398cdb016f835eceacbd3b01a405e7
SHA512a57c8ca91e529bec9d502ef3b204deb6d09f5ecb46ef135d130259d1936618180fe13db55bd5f7bebbec1d477ea9bb9f98455b59f09b4d45c00ecd3a3df70803
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
C:\Users\Admin\AppData\Local\Temp\$$a4304.batFilesize
722B
MD5254934e1bed74bb5da44b18bcf7f999e
SHA141daca51746bff972e34860693811a27b73809eb
SHA256a1a9d4127698e34c09ee0fb5edf3147debfcd65878656823d5ff0d58255cd062
SHA5127b56f2eaf8bce03feae8b79081fa0ac7acc125eab5ed6719f9958c4f029c6c8f9a4e3f95d149bbaed080e05fe5c21b72388d9d61a07ff11f802df23d5a6a6b00
-
C:\Users\Admin\AppData\Local\Temp\$$a44BA.batFilesize
722B
MD599eaae8a5b104ff7f04f0bdcf752788a
SHA1831fd12201322e3e5bf668b0b88e0ab08b99b738
SHA25679f033cad4857faca9830defd3201336a328b5a0ab9bd8d60b317f7356300768
SHA51275890fbc2f618c24a1705fc4eb7b953e5ee5546b4c9ac14062a795dc381cd5259ed3d69a6453068c9504607d8b4537c250c6de6f56999678d8a9e397fea35adc
-
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exeFilesize
1008KB
MD547239e98f567a255ad59a52ece290642
SHA10aae5976179fce9f3a436e7add255aeaeb5df1bc
SHA256e78d3ba5ce7661ec118c426e03a5c4447f36779bfa63cad80499bd0b4f2cf0dd
SHA51248598e106df1b69a6e7dd282a37640ea1496ae67d7ddd3f89bcab07ec81ddda0cc6f95bc681fdcb502fe7c2e83c86e59f8b5f83bb008cd3fb91d62a0899dea9f
-
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exeFilesize
981KB
MD56f8aac91731edf732fe02b457eded4da
SHA16b1ad7be49671e42c5cb2c2f477260755f3a12e3
SHA25669ce9375840715b47d1cfdfa281ce51c5fe5890f980a76ff2d5c1926596486e2
SHA512da6dc0e7fab669f7f77b8f5542c6ca25a736bcc1f028136cf1a739c40a744be4b3a746ce623fb27cc7dd13d7220923033597c1687796a4e68d061ca00a939509
-
C:\Windows\Logo1_.exeFilesize
26KB
MD5cbf2e5f5ea26c76bc9bfaa9f3f3b645c
SHA17a9a99cb59c1f79b2eb5f7c6094dc8e05c7a6ca1
SHA2569d8e85c12fc228fc9dff2547d4a61d07ef9ecc13a6d941d9f0bbd275be2df458
SHA51292f3da9c690400d880355e186a8595c68a7b541fdd37e4f5683741452827e177fefbc501492d29edf9c82ef6de1ebb6673da962722d56040100a08a56a8a4f63
-
C:\Windows\rundl132.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.iniFilesize
9B
MD52822854d33e24347f613c750df46b810
SHA1c2ea2529c032aa552d5a8301900cf27fc0f6045c
SHA25673f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2
SHA51221fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c
-
memory/2116-59-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-793-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-5258-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-4819-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-11-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-1310-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-1254-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-42-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-55-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2116-49-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3024-40-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3596-21-0x0000000000760000-0x00000000017EE000-memory.dmpFilesize
16.6MB
-
memory/3596-19-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/3596-30-0x0000000000760000-0x00000000017EE000-memory.dmpFilesize
16.6MB
-
memory/3596-23-0x0000000000760000-0x00000000017EE000-memory.dmpFilesize
16.6MB
-
memory/3596-29-0x0000000000760000-0x00000000017EE000-memory.dmpFilesize
16.6MB
-
memory/3596-36-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/3596-32-0x0000000000760000-0x00000000017EE000-memory.dmpFilesize
16.6MB
-
memory/4592-0-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4592-10-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB