Analysis
-
max time kernel
1s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 05:59
Behavioral task
behavioral1
Sample
R2登录器制作工具(带更新,反外挂,简约皮肤).exe
Resource
win7-20240704-en
General
-
Target
R2登录器制作工具(带更新,反外挂,简约皮肤).exe
-
Size
2.8MB
-
MD5
75d53417d21654acbe4565e04a5e3353
-
SHA1
18f996da80eee26b0fe48da445586f190aa710bd
-
SHA256
ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
-
SHA512
91231190df5e55dd5fc330dd39651998206bdae2de91c0274e9a9c3d1c856aaef4031b3a24356c1a4f41abd6f017714f8e45112025f01a24e421747700223307
-
SSDEEP
49152:5XWtGqeLA3MUwfOBIDGVV99pM78Q/9tf7D/0aJoYKsaABNTHpSNk50AjOOZALIE:5mreLKyfO24VRM78Q/9hEeobnABNTANF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\plgMeM.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
plgMeM.exepid process 1772 plgMeM.exe -
Processes:
resource yara_rule behavioral2/memory/2380-0-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral2/memory/2380-11-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-8-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-19-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-24-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-13-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-25-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-10-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-9-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-5-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-33-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-32-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-34-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-36-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-38-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-39-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-47-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-49-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-50-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-52-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral2/memory/2380-54-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-56-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-60-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-69-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-71-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-73-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-75-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-78-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral2/memory/2380-79-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-82-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-90-0x0000000000400000-0x0000000000BEA000-memory.dmp upx behavioral2/memory/2380-91-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-93-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-96-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-99-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-100-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx behavioral2/memory/2380-110-0x0000000002AF0000-0x0000000003B7E000-memory.dmp upx -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Drops file in Program Files directory 64 IoCs
Processes:
plgMeM.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE plgMeM.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe plgMeM.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe plgMeM.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE plgMeM.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE plgMeM.exe -
Drops file in Windows directory 1 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exepid process 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription pid process Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Token: SeDebugPrivilege 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription pid process target process PID 2380 wrote to memory of 1772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2380 wrote to memory of 1772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2380 wrote to memory of 1772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2380 wrote to memory of 772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe fontdrvhost.exe PID 2380 wrote to memory of 780 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe fontdrvhost.exe PID 2380 wrote to memory of 316 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe dwm.exe PID 2380 wrote to memory of 2672 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe sihost.exe PID 2380 wrote to memory of 2696 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe svchost.exe PID 2380 wrote to memory of 2928 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe taskhostw.exe PID 2380 wrote to memory of 3468 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe Explorer.EXE PID 2380 wrote to memory of 3652 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe svchost.exe PID 2380 wrote to memory of 3848 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe DllHost.exe PID 2380 wrote to memory of 3944 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe StartMenuExperienceHost.exe PID 2380 wrote to memory of 4012 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe RuntimeBroker.exe PID 2380 wrote to memory of 592 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe SearchApp.exe PID 2380 wrote to memory of 4196 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe RuntimeBroker.exe PID 2380 wrote to memory of 2136 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe RuntimeBroker.exe PID 2380 wrote to memory of 5000 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe TextInputHost.exe PID 2380 wrote to memory of 1808 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe backgroundTaskHost.exe PID 2380 wrote to memory of 2100 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe backgroundTaskHost.exe PID 2380 wrote to memory of 4424 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe BackgroundTaskHost.exe PID 2380 wrote to memory of 3428 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe RuntimeBroker.exe PID 2380 wrote to memory of 1772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe PID 2380 wrote to memory of 1772 2380 R2登录器制作工具(带更新,反外挂,简约皮肤).exe plgMeM.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R2登录器制作工具(带更新,反外挂,简约皮肤).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具(带更新,反外挂,简约皮肤).exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具(带更新,反外挂,简约皮肤).exe"C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具(带更新,反外挂,简约皮肤).exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\plgMeM.exeC:\Users\Admin\AppData\Local\Temp\plgMeM.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\379c6f7a.bat" "4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRAM FILES\7-ZIP\Uninstall.exeFilesize
106KB
MD5c141fb4093d9ceceb6f9d080b2c93f8a
SHA1fbbf27b548a29b2892692e40811976cf907c6fac
SHA256de728d57a23de143cd89b0d80555d85c3fd267eb7e1f047a98e32ad818a89611
SHA5122c239ccad13b555cec24e6a7eb1fa440b335e14e0ea5254c117d9337b2fbdf1375013a42df814676e1731804bb43b8a27f09e717e21b753ff5701ccb223d775d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C5RYTORX\k2[1].rarFilesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
C:\Users\Admin\AppData\Local\Temp\37767E39.exeFilesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
C:\Users\Admin\AppData\Local\Temp\379c6f7a.batFilesize
187B
MD52864d2148c7816bc9167832e4fd0004d
SHA19e47cdbad0fde1babe19713bf3f40d42988ece92
SHA2562acb77e8439375827e1a543b8c5450a536889e85af7eee79d7adab0cb32b0189
SHA51290eb210c2d8b1fa12304080f07c7620ea45d38e419a86ececba78b513a4ced968dc213e67bed338ee362cefb4295af90c816bfef44b86fed486448a21c9ce54b
-
C:\Users\Admin\AppData\Local\Temp\plgMeM.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
F:\hfvy.exeFilesize
100KB
MD5a5830cb3995ae2358b646710d8b6079e
SHA1540a039e6d7d1b6dd7682b9492ab365f3ab73884
SHA2567a17174a7340d97a25645e71e81afefab07646c36076b81ed02bdb329b0e8c21
SHA512875bf2396fc885d4f99fa24df3c9979c07f7e33aed1303bedeca13138b3e83fadc3e29fe916ff20b2e1de6bac47afa2522e3f67fc28058312d640a4895a04aec
-
memory/1772-21-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/1772-18-0x0000000000250000-0x0000000000259000-memory.dmpFilesize
36KB
-
memory/1772-108-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/1772-23-0x00000000014B0000-0x00000000014B2000-memory.dmpFilesize
8KB
-
memory/1772-53-0x0000000000250000-0x0000000000259000-memory.dmpFilesize
36KB
-
memory/1772-17-0x00000000014C0000-0x00000000014C1000-memory.dmpFilesize
4KB
-
memory/2380-33-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-15-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/2380-20-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/2380-54-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-14-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/2380-9-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-5-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-24-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-32-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-34-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-36-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-38-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-39-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-19-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-56-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-47-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-49-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-50-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-10-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-8-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-0-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2380-22-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/2380-60-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-69-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-71-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-73-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-75-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-25-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-78-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2380-79-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-82-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-90-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2380-91-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-93-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-96-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-99-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-100-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-13-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-107-0x0000000000C00000-0x0000000000C02000-memory.dmpFilesize
8KB
-
memory/2380-110-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB
-
memory/2380-52-0x0000000000400000-0x0000000000BEA000-memory.dmpFilesize
7.9MB
-
memory/2380-11-0x0000000002AF0000-0x0000000003B7E000-memory.dmpFilesize
16.6MB