sality | a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d

Analysis

max time kernel
94s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll
Size

120KB
MD5

9ef7044c48cbc23ec9de7ad3c9ff7018
SHA1

ba12f3db93a25ef85bb3b4a73f6f5ec480472d41
SHA256

a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d
SHA512

dabec67e818929805a155b7824d855e707d25cacee24d7868b25be8a53b5ae4ba2c04ea720f1aff576b1db6443e898a84a407f1790c52651ad0afaa6a8cb9134
SSDEEP

3072:zB1l3evcfobtq8IW1M66FmNxCSvjgu6nKaff:d1luvs2qNrkCSvjLKB

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e573df3.exee573c8c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573df3.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573c8c.exee573df3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573df3.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573c8c.exee573df3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573df3.exe

Executes dropped EXE 3 IoCs

Processes:

e573c8c.exee573df3.exee575851.exe

pid process

4420 e573c8c.exe
4296 e573df3.exe
3568 e575851.exe

pid	process
4420	e573c8c.exe
4296	e573df3.exe
3568	e575851.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4420-6-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-8-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-20-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-28-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-18-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-32-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-29-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-34-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-9-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-10-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-35-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-36-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-37-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-38-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-40-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-39-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-42-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-43-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-52-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-54-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-55-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-65-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-67-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-70-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-72-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-74-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-77-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-78-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-79-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-80-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-81-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4420-83-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4296-114-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4296-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573c8c.exee573df3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573c8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573df3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573df3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573c8c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e573c8c.exee573df3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573df3.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e573c8c.exe

description	ioc	process
File opened (read-only)	\??\K:	e573c8c.exe
File opened (read-only)	\??\R:	e573c8c.exe
File opened (read-only)	\??\I:	e573c8c.exe
File opened (read-only)	\??\J:	e573c8c.exe
File opened (read-only)	\??\M:	e573c8c.exe
File opened (read-only)	\??\N:	e573c8c.exe
File opened (read-only)	\??\P:	e573c8c.exe
File opened (read-only)	\??\G:	e573c8c.exe
File opened (read-only)	\??\H:	e573c8c.exe
File opened (read-only)	\??\Q:	e573c8c.exe
File opened (read-only)	\??\S:	e573c8c.exe
File opened (read-only)	\??\E:	e573c8c.exe
File opened (read-only)	\??\L:	e573c8c.exe
File opened (read-only)	\??\O:	e573c8c.exe

Drops file in Program Files directory 4 IoCs

Processes:

e573c8c.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e573c8c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e573c8c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e573c8c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e573c8c.exe

Drops file in Windows directory 3 IoCs

Processes:

e573c8c.exee573df3.exe

description ioc process

File created C:\Windows\e573cda e573c8c.exe
File opened for modification C:\Windows\SYSTEM.INI e573c8c.exe
File created C:\Windows\e578d3c e573df3.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e573c8c.exee573df3.exe

pid process

4420 e573c8c.exe
4420 e573c8c.exe
4420 e573c8c.exe
4420 e573c8c.exe
4296 e573df3.exe
4296 e573df3.exe

description	ioc	process
File created	C:\Windows\e573cda	e573c8c.exe
File opened for modification	C:\Windows\SYSTEM.INI	e573c8c.exe
File created	C:\Windows\e578d3c	e573df3.exe

pid	process
4420	e573c8c.exe
4420	e573c8c.exe
4420	e573c8c.exe
4420	e573c8c.exe
4296	e573df3.exe
4296	e573df3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e573c8c.exe

description	pid	process
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe
Token: SeDebugPrivilege	4420	e573c8c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee573c8c.exee573df3.exe

description	pid	process	target process
PID 4956 wrote to memory of 2152	4956	rundll32.exe	rundll32.exe
PID 4956 wrote to memory of 2152	4956	rundll32.exe	rundll32.exe
PID 4956 wrote to memory of 2152	4956	rundll32.exe	rundll32.exe
PID 2152 wrote to memory of 4420	2152	rundll32.exe	e573c8c.exe
PID 2152 wrote to memory of 4420	2152	rundll32.exe	e573c8c.exe
PID 2152 wrote to memory of 4420	2152	rundll32.exe	e573c8c.exe
PID 4420 wrote to memory of 760	4420	e573c8c.exe	fontdrvhost.exe
PID 4420 wrote to memory of 764	4420	e573c8c.exe	fontdrvhost.exe
PID 4420 wrote to memory of 1016	4420	e573c8c.exe	dwm.exe
PID 4420 wrote to memory of 2480	4420	e573c8c.exe	sihost.exe
PID 4420 wrote to memory of 2500	4420	e573c8c.exe	svchost.exe
PID 4420 wrote to memory of 2684	4420	e573c8c.exe	taskhostw.exe
PID 4420 wrote to memory of 3500	4420	e573c8c.exe	Explorer.EXE
PID 4420 wrote to memory of 3648	4420	e573c8c.exe	svchost.exe
PID 4420 wrote to memory of 3824	4420	e573c8c.exe	DllHost.exe
PID 4420 wrote to memory of 3912	4420	e573c8c.exe	StartMenuExperienceHost.exe
PID 4420 wrote to memory of 3972	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 4060	4420	e573c8c.exe	SearchApp.exe
PID 4420 wrote to memory of 3944	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 456	4420	e573c8c.exe	TextInputHost.exe
PID 4420 wrote to memory of 2572	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 4956	4420	e573c8c.exe	rundll32.exe
PID 4420 wrote to memory of 2152	4420	e573c8c.exe	rundll32.exe
PID 4420 wrote to memory of 2152	4420	e573c8c.exe	rundll32.exe
PID 2152 wrote to memory of 4296	2152	rundll32.exe	e573df3.exe
PID 2152 wrote to memory of 4296	2152	rundll32.exe	e573df3.exe
PID 2152 wrote to memory of 4296	2152	rundll32.exe	e573df3.exe
PID 2152 wrote to memory of 3568	2152	rundll32.exe	e575851.exe
PID 2152 wrote to memory of 3568	2152	rundll32.exe	e575851.exe
PID 2152 wrote to memory of 3568	2152	rundll32.exe	e575851.exe
PID 4420 wrote to memory of 760	4420	e573c8c.exe	fontdrvhost.exe
PID 4420 wrote to memory of 764	4420	e573c8c.exe	fontdrvhost.exe
PID 4420 wrote to memory of 1016	4420	e573c8c.exe	dwm.exe
PID 4420 wrote to memory of 2480	4420	e573c8c.exe	sihost.exe
PID 4420 wrote to memory of 2500	4420	e573c8c.exe	svchost.exe
PID 4420 wrote to memory of 2684	4420	e573c8c.exe	taskhostw.exe
PID 4420 wrote to memory of 3500	4420	e573c8c.exe	Explorer.EXE
PID 4420 wrote to memory of 3648	4420	e573c8c.exe	svchost.exe
PID 4420 wrote to memory of 3824	4420	e573c8c.exe	DllHost.exe
PID 4420 wrote to memory of 3912	4420	e573c8c.exe	StartMenuExperienceHost.exe
PID 4420 wrote to memory of 3972	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 4060	4420	e573c8c.exe	SearchApp.exe
PID 4420 wrote to memory of 3944	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 456	4420	e573c8c.exe	TextInputHost.exe
PID 4420 wrote to memory of 2572	4420	e573c8c.exe	RuntimeBroker.exe
PID 4420 wrote to memory of 4296	4420	e573c8c.exe	e573df3.exe
PID 4420 wrote to memory of 4296	4420	e573c8c.exe	e573df3.exe
PID 4420 wrote to memory of 3568	4420	e573c8c.exe	e575851.exe
PID 4420 wrote to memory of 3568	4420	e573c8c.exe	e575851.exe
PID 4296 wrote to memory of 760	4296	e573df3.exe	fontdrvhost.exe
PID 4296 wrote to memory of 764	4296	e573df3.exe	fontdrvhost.exe
PID 4296 wrote to memory of 1016	4296	e573df3.exe	dwm.exe
PID 4296 wrote to memory of 2480	4296	e573df3.exe	sihost.exe
PID 4296 wrote to memory of 2500	4296	e573df3.exe	svchost.exe
PID 4296 wrote to memory of 2684	4296	e573df3.exe	taskhostw.exe
PID 4296 wrote to memory of 3500	4296	e573df3.exe	Explorer.EXE
PID 4296 wrote to memory of 3648	4296	e573df3.exe	svchost.exe
PID 4296 wrote to memory of 3824	4296	e573df3.exe	DllHost.exe
PID 4296 wrote to memory of 3912	4296	e573df3.exe	StartMenuExperienceHost.exe
PID 4296 wrote to memory of 3972	4296	e573df3.exe	RuntimeBroker.exe
PID 4296 wrote to memory of 4060	4296	e573df3.exe	SearchApp.exe
PID 4296 wrote to memory of 3944	4296	e573df3.exe	RuntimeBroker.exe
PID 4296 wrote to memory of 456	4296	e573df3.exe	TextInputHost.exe
PID 4296 wrote to memory of 2572	4296	e573df3.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e573c8c.exee573df3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573c8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573df3.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2500

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a444a64f8739781bf0113e5e565e838da4082dddece109ae31cc9f72f0cb5a8d.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\e573c8c.exe
C:\Users\Admin\AppData\Local\Temp\e573c8c.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4420

C:\Users\Admin\AppData\Local\Temp\e573df3.exe
C:\Users\Admin\AppData\Local\Temp\e573df3.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4296

C:\Users\Admin\AppData\Local\Temp\e575851.exe
C:\Users\Admin\AppData\Local\Temp\e575851.exe
4⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e573c8c.exe
Filesize
97KB

MD5
f8ce943a63132ba00860d9756e7a64c3

SHA1
7c125a935af64429f7ce334147dbabd06da15082

SHA256
6ab27171224a781f4baf238794c02b55c517c9c4e7f0a842e1eb6c0fd5530f9a

SHA512
a929d6cd8370a26c9636b53ee228046440bee9089586d3129d4acad1744e249efc6382e03b0e3faa71c20e9517ca7d23960e2295d687502578e86d41a2ffc6d7

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
b6b9a7df21ea06b7aa07a1e311fe9b31

SHA1
0c2b938cc02afa154334c75cec5654a958222ed1

SHA256
17540d3d91c17f193bc395185f42cfcba197aa702d96267c4d77b6ea472fa794

SHA512
9367449cbaf2991fb6ae3a5906ca490e8bc98be3647f0c488f9c1a14cccb603828f32623d1c66a2ec473eaab928d3d9192f09787a9b589ff729c2203c75e2ec8

Download Submit
memory/2152-11-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/2152-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2152-17-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/2152-12-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2152-21-0x00000000014B0000-0x00000000014B2000-memory.dmp

Filesize
8KB

Download
memory/3568-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3568-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3568-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3568-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3568-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4296-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4296-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4296-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4296-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4296-114-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4296-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4296-129-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4420-42-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-18-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-14-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/4420-36-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-37-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-38-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-40-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-39-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-10-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-43-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-9-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-52-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-54-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-55-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-19-0x0000000001A30000-0x0000000001A32000-memory.dmp

Filesize
8KB

Download
memory/4420-22-0x0000000001A30000-0x0000000001A32000-memory.dmp

Filesize
8KB

Download
memory/4420-34-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-29-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-32-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-35-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-65-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-67-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-70-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-72-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-74-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-77-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-78-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-79-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-80-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-81-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-83-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-93-0x0000000001A30000-0x0000000001A32000-memory.dmp

Filesize
8KB

Download
memory/4420-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4420-28-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-20-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-8-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-6-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4420-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download