sality | ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5

Analysis

max time kernel
126s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Size

2.8MB
MD5

75d53417d21654acbe4565e04a5e3353
SHA1

18f996da80eee26b0fe48da445586f190aa710bd
SHA256

ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
SHA512

91231190df5e55dd5fc330dd39651998206bdae2de91c0274e9a9c3d1c856aaef4031b3a24356c1a4f41abd6f017714f8e45112025f01a24e421747700223307
SSDEEP

49152:5XWtGqeLA3MUwfOBIDGVV99pM78Q/9tf7D/0aJoYKsaABNTHpSNk50AjOOZALIE:5mreLKyfO24VRM78Q/9hEeobnABNTANF

Score

10^/10

sality aspackv2 backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\plgMeM.exe aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

plgMeM.exe

pid process

2728 plgMeM.exe
Loads dropped DLL 2 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

pid process

2400 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe	aspack_v212_v242

pid	process
2728	plgMeM.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral1/memory/2400-12-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-8-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-3-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-11-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-0-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-7-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-4-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-10-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-9-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-13-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-14-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-41-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-47-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-48-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-50-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-51-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-52-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-55-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-63-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-64-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-65-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-66-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral1/memory/2400-68-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-83-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-85-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-101-0x00000000026D0000-0x000000000375E000-memory.dmp	upx
behavioral1/memory/2400-102-0x00000000026D0000-0x000000000375E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
File opened (read-only)	\??\Q:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\I:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\K:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\N:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\R:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\T:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\V:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\Y:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\Z:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\G:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\H:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\S:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\W:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\X:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\M:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\O:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\L:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\U:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\E:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened (read-only)	\??\J:	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
File opened for modification	C:\autorun.inf	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened for modification	F:\autorun.inf	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Drops file in Program Files directory 64 IoCs

Processes:

plgMeM.exeR2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	plgMeM.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	plgMeM.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	plgMeM.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	plgMeM.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	plgMeM.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	plgMeM.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	plgMeM.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	plgMeM.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	plgMeM.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	plgMeM.exe

Drops file in Windows directory 1 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

pid	process
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	pid	process
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

pid process

2400 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2400 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exeplgMeM.exe

description	pid	process	target process
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 2728	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2400 wrote to memory of 784	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2728 wrote to memory of 2164	2728	plgMeM.exe	cmd.exe
PID 2728 wrote to memory of 2164	2728	plgMeM.exe	cmd.exe
PID 2728 wrote to memory of 2164	2728	plgMeM.exe	cmd.exe
PID 2728 wrote to memory of 2164	2728	plgMeM.exe	cmd.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2400 wrote to memory of 1040	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Dwm.exe
PID 2400 wrote to memory of 1064	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhost.exe
PID 2400 wrote to memory of 1116	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2400 wrote to memory of 1540	2400	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
"C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具（带更新，反外挂，简约皮肤）.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2400

C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6f7063d7.bat" "
4⤵
PID:2164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\7-ZIP\Uninstall.exe
Filesize
1.1MB

MD5
14d1ed17d89c5a8e91bfc212aa30e782

SHA1
d456ebcee734eadd3c64001f70c475e2e36c53ad

SHA256
3df7fab54dbf2184eabcfb3d4a147c47b5dc4bc3adc1dd58fedb98fbed806c74

SHA512
d90a4c85c29a02ff0ddaa8b3265753f0908264eb0e028539f8cd60a13ad2151c66e881f9f4daf74f2248c4fd25eb80e53abadc353de48d4f5c7abfb2cdd6fbb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\k2[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f7063d7.bat
Filesize
187B

MD5
9b05637659c7c50a9bbffcbdf5c09f64

SHA1
51f4fd2f8da1044450ee3dc5bece3757250fceb7

SHA256
2dbee693c4e522e8311e28022468bddba44695153e6fcf232d8dd492713df83c

SHA512
9ce459767f22eb7285e4e558ca89d15ee37e0d4ffd3c3bb149b1fa5363ea026d9f704344d29d5204a3a535719ed377a49fb35548b106b96045a11091fb2c5b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\wowrqj.exe
Filesize
100KB

MD5
b81c293757c84509d5156f87ca985784

SHA1
35f27b90885b12ad785ca54b72e280729d20a707

SHA256
f16992d2265329f587572185224ee9a94ef7375bb167d52f06061490e89f6d90

SHA512
cf9f3c9d1505e4ed823369549406310f25c92774f7657cb21547cb3a96e193138c32a3f20c6eaa36ad493e23724213ce9e55f497e2024d1b2363c25e8f3edc6c

Download Submit
memory/1040-26-0x0000000001DA0000-0x0000000001DA2000-memory.dmp

Filesize
8KB

Download
memory/2400-41-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-52-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-10-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-9-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-13-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-7-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-37-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2400-38-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2400-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2400-34-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2400-33-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2400-0-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-12-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-14-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-22-0x0000000000280000-0x0000000000289000-memory.dmp

Filesize
36KB

Download
memory/2400-21-0x0000000000280000-0x0000000000289000-memory.dmp

Filesize
36KB

Download
memory/2400-1-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2400-47-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-48-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-50-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-51-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-4-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-55-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-11-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-63-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-64-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-65-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-66-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2400-68-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-8-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-120-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2400-102-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-101-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-83-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-85-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2400-3-0x00000000026D0000-0x000000000375E000-memory.dmp

Filesize
16.6MB

Download
memory/2728-81-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2728-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2728-79-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2728-80-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2728-25-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download