sality | ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5

Analysis

max time kernel
1s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Size

2.8MB
MD5

75d53417d21654acbe4565e04a5e3353
SHA1

18f996da80eee26b0fe48da445586f190aa710bd
SHA256

ecbc34e6b5739a37dc046dfecf8e067eff30b4d1a4bf7531147286fbb45e1be5
SHA512

91231190df5e55dd5fc330dd39651998206bdae2de91c0274e9a9c3d1c856aaef4031b3a24356c1a4f41abd6f017714f8e45112025f01a24e421747700223307
SSDEEP

49152:5XWtGqeLA3MUwfOBIDGVV99pM78Q/9tf7D/0aJoYKsaABNTHpSNk50AjOOZALIE:5mreLKyfO24VRM78Q/9hEeobnABNTANF

Score

10^/10

sality aspackv2 backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\plgMeM.exe aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

plgMeM.exe

pid process

1772 plgMeM.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe	aspack_v212_v242

pid	process
1772	plgMeM.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2380-0-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral2/memory/2380-11-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-8-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-19-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-24-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-13-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-25-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-10-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-9-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-5-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-33-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-32-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-34-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-36-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-38-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-39-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-47-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-49-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-50-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-52-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral2/memory/2380-54-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-56-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-60-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-69-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-71-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-73-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-75-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-78-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral2/memory/2380-79-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-82-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-90-0x0000000000400000-0x0000000000BEA000-memory.dmp	upx
behavioral2/memory/2380-91-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-93-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-96-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-99-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-100-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2380-110-0x0000000002AF0000-0x0000000003B7E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Drops file in Program Files directory 64 IoCs

Processes:

plgMeM.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	plgMeM.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	plgMeM.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	plgMeM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	plgMeM.exe

Drops file in Windows directory 1 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

pid process

2380 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2380 R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

pid	process
2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	pid	process
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
Token: SeDebugPrivilege	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	pid	process	target process
PID 2380 wrote to memory of 1772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2380 wrote to memory of 1772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2380 wrote to memory of 1772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2380 wrote to memory of 772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	fontdrvhost.exe
PID 2380 wrote to memory of 780	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	fontdrvhost.exe
PID 2380 wrote to memory of 316	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	dwm.exe
PID 2380 wrote to memory of 2672	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	sihost.exe
PID 2380 wrote to memory of 2696	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	svchost.exe
PID 2380 wrote to memory of 2928	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	taskhostw.exe
PID 2380 wrote to memory of 3468	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	Explorer.EXE
PID 2380 wrote to memory of 3652	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	svchost.exe
PID 2380 wrote to memory of 3848	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	DllHost.exe
PID 2380 wrote to memory of 3944	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	StartMenuExperienceHost.exe
PID 2380 wrote to memory of 4012	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 592	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	SearchApp.exe
PID 2380 wrote to memory of 4196	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 2136	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 5000	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	TextInputHost.exe
PID 2380 wrote to memory of 1808	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	backgroundTaskHost.exe
PID 2380 wrote to memory of 2100	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	backgroundTaskHost.exe
PID 2380 wrote to memory of 4424	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	BackgroundTaskHost.exe
PID 2380 wrote to memory of 3428	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 1772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe
PID 2380 wrote to memory of 1772	2380	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe	plgMeM.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	R2登录器制作工具（带更新，反外挂，简约皮肤）.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2696

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2928

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具（带更新，反外挂，简约皮肤）.exe
"C:\Users\Admin\AppData\Local\Temp\R2登录器制作工具（带更新，反外挂，简约皮肤）.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380

C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\379c6f7a.bat" "
4⤵
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:592

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2136

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:5000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1808

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2100

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES\7-ZIP\Uninstall.exe
Filesize
106KB

MD5
c141fb4093d9ceceb6f9d080b2c93f8a

SHA1
fbbf27b548a29b2892692e40811976cf907c6fac

SHA256
de728d57a23de143cd89b0d80555d85c3fd267eb7e1f047a98e32ad818a89611

SHA512
2c239ccad13b555cec24e6a7eb1fa440b335e14e0ea5254c117d9337b2fbdf1375013a42df814676e1731804bb43b8a27f09e717e21b753ff5701ccb223d775d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C5RYTORX\k2[1].rar
Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\37767E39.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\379c6f7a.bat
Filesize
187B

MD5
2864d2148c7816bc9167832e4fd0004d

SHA1
9e47cdbad0fde1babe19713bf3f40d42988ece92

SHA256
2acb77e8439375827e1a543b8c5450a536889e85af7eee79d7adab0cb32b0189

SHA512
90eb210c2d8b1fa12304080f07c7620ea45d38e419a86ececba78b513a4ced968dc213e67bed338ee362cefb4295af90c816bfef44b86fed486448a21c9ce54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\plgMeM.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
F:\hfvy.exe
Filesize
100KB

MD5
a5830cb3995ae2358b646710d8b6079e

SHA1
540a039e6d7d1b6dd7682b9492ab365f3ab73884

SHA256
7a17174a7340d97a25645e71e81afefab07646c36076b81ed02bdb329b0e8c21

SHA512
875bf2396fc885d4f99fa24df3c9979c07f7e33aed1303bedeca13138b3e83fadc3e29fe916ff20b2e1de6bac47afa2522e3f67fc28058312d640a4895a04aec

Download Submit
memory/1772-21-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/1772-18-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/1772-108-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/1772-23-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/1772-53-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/1772-17-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2380-33-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-15-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2380-20-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/2380-54-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-14-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/2380-9-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-5-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-24-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-32-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-34-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-36-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-35-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-38-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-39-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-19-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-56-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-47-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-49-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-50-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-10-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-8-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-0-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2380-22-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/2380-60-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-69-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-71-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-73-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-75-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-25-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-78-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2380-79-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-82-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-90-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2380-91-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-93-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-96-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-99-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-100-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-13-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-107-0x0000000000C00000-0x0000000000C02000-memory.dmp

Filesize
8KB

Download
memory/2380-110-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-52-0x0000000000400000-0x0000000000BEA000-memory.dmp

Filesize
7.9MB

Download
memory/2380-11-0x0000000002AF0000-0x0000000003B7E000-memory.dmp

Filesize
16.6MB

Download