Analysis
-
max time kernel
126s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 05:59
Behavioral task
behavioral1
Sample
R2登录器制作工具(带更新,反外挂,简约皮肤).exe
Resource
win7-20240704-en
General
-
Target
R2登录器制作工具(带更新,反外挂,简约皮肤).exe
-
Size
2.8MB
-
MD5
75d53417d21654acbe4565e04a5e3353
-
SHA1
18f996da80eee26b0fe48da445586f190aa710bd
-
SHA256
ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
-
SHA512
91231190df5e55dd5fc330dd39651998206bdae2de91c0274e9a9c3d1c856aaef4031b3a24356c1a4f41abd6f017714f8e45112025f01a24e421747700223307
-
SSDEEP
49152:5XWtGqeLA3MUwfOBIDGVV99pM78Q/9tf7D/0aJoYKsaABNTHpSNk50AjOOZALIE:5mreLKyfO24VRM78Q/9hEeobnABNTANF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\plgMeM.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
plgMeM.exepid process 2728 plgMeM.exe -
Loads dropped DLL 2 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exepid process 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
resource yara_rule behavioral1/memory/2400-1-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral1/memory/2400-12-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-8-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-3-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-11-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-0-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-7-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-4-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-10-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-9-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-13-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-14-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-41-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-47-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-48-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-50-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-51-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-52-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-55-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-63-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-64-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-65-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-66-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral1/memory/2400-68-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-83-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-85-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-101-0x00000000026D0000-0x000000000375E000-memory.dmp upx behavioral1/memory/2400-102-0x00000000026D0000-0x000000000375E000-memory.dmp upx -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process File opened (read-only) \??\Q: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\I: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\K: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\N: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\R: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\T: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\V: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\Y: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\Z: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\G: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\H: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\S: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\W: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\X: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\M: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\O: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\L: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\U: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\E: R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened (read-only) \??\J: R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process File opened for modification C:\autorun.inf R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened for modification F:\autorun.inf R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Drops file in Program Files directory 64 IoCs
Processes:
plgMeM.exeR2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE plgMeM.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe plgMeM.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE plgMeM.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe plgMeM.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe plgMeM.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe plgMeM.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe R2登录器制作工具(带更新,反外挂,简约皮肤).exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe plgMeM.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe plgMeM.exe File opened for modification C:\Program Files\Windows Mail\wab.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe plgMeM.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe plgMeM.exe File opened for modification C:\Program Files\7-Zip\7zG.exe plgMeM.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe plgMeM.exe -
Drops file in Windows directory 1 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exepid process 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription pid process Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exepid process 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exeplgMeM.exedescription pid process target process PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 2728 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2400 wrote to memory of 784 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2728 wrote to memory of 2164 2728 plgMeM.exe cmd.exe PID 2728 wrote to memory of 2164 2728 plgMeM.exe cmd.exe PID 2728 wrote to memory of 2164 2728 plgMeM.exe cmd.exe PID 2728 wrote to memory of 2164 2728 plgMeM.exe cmd.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2400 wrote to memory of 1040 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Dwm.exe PID 2400 wrote to memory of 1064 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhost.exe PID 2400 wrote to memory of 1116 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2400 wrote to memory of 1540 2400 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具(带更新,反外挂,简约皮肤).exe"C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具(带更新,反外挂,简约皮肤).exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\plgMeM.exeC:\Users\Admin\AppData\Local\Temp\plgMeM.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6f7063d7.bat" "4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRAM FILES\7-ZIP\Uninstall.exeFilesize
1.1MB
MD514d1ed17d89c5a8e91bfc212aa30e782
SHA1d456ebcee734eadd3c64001f70c475e2e36c53ad
SHA2563df7fab54dbf2184eabcfb3d4a147c47b5dc4bc3adc1dd58fedb98fbed806c74
SHA512d90a4c85c29a02ff0ddaa8b3265753f0908264eb0e028539f8cd60a13ad2151c66e881f9f4daf74f2248c4fd25eb80e53abadc353de48d4f5c7abfb2cdd6fbb8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\k2[1].rarFilesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
C:\Users\Admin\AppData\Local\Temp\6f7063d7.batFilesize
187B
MD59b05637659c7c50a9bbffcbdf5c09f64
SHA151f4fd2f8da1044450ee3dc5bece3757250fceb7
SHA2562dbee693c4e522e8311e28022468bddba44695153e6fcf232d8dd492713df83c
SHA5129ce459767f22eb7285e4e558ca89d15ee37e0d4ffd3c3bb149b1fa5363ea026d9f704344d29d5204a3a535719ed377a49fb35548b106b96045a11091fb2c5b8d
-
C:\Users\Admin\AppData\Local\Temp\plgMeM.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\wowrqj.exeFilesize
100KB
MD5b81c293757c84509d5156f87ca985784
SHA135f27b90885b12ad785ca54b72e280729d20a707
SHA256f16992d2265329f587572185224ee9a94ef7375bb167d52f06061490e89f6d90
SHA512cf9f3c9d1505e4ed823369549406310f25c92774f7657cb21547cb3a96e193138c32a3f20c6eaa36ad493e23724213ce9e55f497e2024d1b2363c25e8f3edc6c
-
memory/1040-26-0x0000000001DA0000-0x0000000001DA2000-memory.dmpFilesize
8KB
-
memory/2400-41-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-52-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-10-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-9-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-13-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-7-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-37-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/2400-38-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/2400-36-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2400-34-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2400-33-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/2400-0-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-12-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-14-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-22-0x0000000000280000-0x0000000000289000-memory.dmpFilesize
36KB
-
memory/2400-21-0x0000000000280000-0x0000000000289000-memory.dmpFilesize
36KB
-
memory/2400-1-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2400-47-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-48-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-50-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-51-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-4-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-55-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-11-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-63-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-64-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-65-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-66-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2400-68-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-8-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-120-0x0000000000280000-0x0000000000282000-memory.dmpFilesize
8KB
-
memory/2400-102-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-101-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-83-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-85-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2400-3-0x00000000026D0000-0x000000000375E000-memory.dmpFilesize
16.6MB
-
memory/2728-81-0x00000000002B0000-0x00000000002B2000-memory.dmpFilesize
8KB
-
memory/2728-77-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2728-79-0x00000000000C0000-0x00000000000C9000-memory.dmpFilesize
36KB
-
memory/2728-80-0x00000000002B0000-0x00000000002B2000-memory.dmpFilesize
8KB
-
memory/2728-25-0x00000000000C0000-0x00000000000C9000-memory.dmpFilesize
36KB