sality | dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll
Size

120KB
MD5

6880a67ab5bb7d95e5bc5f2427213a8f
SHA1

ccef5f2822f8f659885d1df5c605b2599e8c3280
SHA256

dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f
SHA512

b235db86c2efe329a3f3e5dc64ac8d3f3aac873d9459a95eb5fb1ee03fd3c3d6e0c71c2cc0cc2cf487abfe3df0f9a6f77cfd4d57edabc6b82fc5cf2613554187
SSDEEP

3072:+DdzWPzXM2JPdRXUqdN1F3UytGYLRhPbWz/I:YdWL84l9GoRhR

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5755d1.exee577a12.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5755d1.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577a12.exee5755d1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5755d1.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577a12.exee5755d1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577a12.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 28 IoCs

Processes:

resource	yara_rule
behavioral2/memory/244-6-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-10-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-9-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-18-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-11-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-20-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-31-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-19-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-17-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-8-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-28-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-37-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-38-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-39-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-40-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-41-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-51-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-60-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-61-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-63-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-65-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-66-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-68-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-70-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-72-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/244-76-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4960-109-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4960-143-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/244-6-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-10-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-9-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-18-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-11-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-20-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/4208-36-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/244-31-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-19-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-17-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-8-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-28-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-37-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-38-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-39-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-40-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-41-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/4960-49-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/244-51-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-60-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-61-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-63-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-65-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-66-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-68-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-70-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-72-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/244-93-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/244-76-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/4208-97-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4960-109-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	UPX
behavioral2/memory/4960-143-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	UPX
behavioral2/memory/4960-144-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e5755d1.exee575842.exee577a12.exe

pid process

244 e5755d1.exe
4208 e575842.exe
4960 e577a12.exe

pid	process
244	e5755d1.exe
4208	e575842.exe
4960	e577a12.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/244-6-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-10-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-9-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-18-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-11-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-20-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-31-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-19-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-17-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-8-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-28-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-37-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-38-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-39-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-40-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-41-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-51-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-60-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-61-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-63-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-65-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-66-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-68-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-70-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-72-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/244-76-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/4960-109-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	upx
behavioral2/memory/4960-143-0x0000000000BF0000-0x0000000001CAA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5755d1.exee577a12.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5755d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577a12.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577a12.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5755d1.exee577a12.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5755d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577a12.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5755d1.exee577a12.exe

description	ioc	process
File opened (read-only)	\??\J:	e5755d1.exe
File opened (read-only)	\??\L:	e5755d1.exe
File opened (read-only)	\??\N:	e5755d1.exe
File opened (read-only)	\??\G:	e577a12.exe
File opened (read-only)	\??\M:	e5755d1.exe
File opened (read-only)	\??\E:	e577a12.exe
File opened (read-only)	\??\H:	e577a12.exe
File opened (read-only)	\??\E:	e5755d1.exe
File opened (read-only)	\??\G:	e5755d1.exe
File opened (read-only)	\??\H:	e5755d1.exe
File opened (read-only)	\??\I:	e5755d1.exe
File opened (read-only)	\??\K:	e5755d1.exe

Drops file in Windows directory 3 IoCs

Processes:

e5755d1.exee577a12.exe

description ioc process

File created C:\Windows\e57563e e5755d1.exe
File opened for modification C:\Windows\SYSTEM.INI e5755d1.exe
File created C:\Windows\e57a9fb e577a12.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e5755d1.exee577a12.exe

pid process

244 e5755d1.exe
244 e5755d1.exe
244 e5755d1.exe
244 e5755d1.exe
4960 e577a12.exe
4960 e577a12.exe

description	ioc	process
File created	C:\Windows\e57563e	e5755d1.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5755d1.exe
File created	C:\Windows\e57a9fb	e577a12.exe

pid	process
244	e5755d1.exe
244	e5755d1.exe
244	e5755d1.exe
244	e5755d1.exe
4960	e577a12.exe
4960	e577a12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5755d1.exe

description	pid	process
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe
Token: SeDebugPrivilege	244	e5755d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee5755d1.exee577a12.exe

description	pid	process	target process
PID 1624 wrote to memory of 3376	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 3376	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 3376	1624	rundll32.exe	rundll32.exe
PID 3376 wrote to memory of 244	3376	rundll32.exe	e5755d1.exe
PID 3376 wrote to memory of 244	3376	rundll32.exe	e5755d1.exe
PID 3376 wrote to memory of 244	3376	rundll32.exe	e5755d1.exe
PID 244 wrote to memory of 768	244	e5755d1.exe	fontdrvhost.exe
PID 244 wrote to memory of 772	244	e5755d1.exe	fontdrvhost.exe
PID 244 wrote to memory of 1016	244	e5755d1.exe	dwm.exe
PID 244 wrote to memory of 2720	244	e5755d1.exe	sihost.exe
PID 244 wrote to memory of 3096	244	e5755d1.exe	svchost.exe
PID 244 wrote to memory of 3184	244	e5755d1.exe	taskhostw.exe
PID 244 wrote to memory of 3388	244	e5755d1.exe	Explorer.EXE
PID 244 wrote to memory of 3552	244	e5755d1.exe	svchost.exe
PID 244 wrote to memory of 3748	244	e5755d1.exe	DllHost.exe
PID 244 wrote to memory of 3848	244	e5755d1.exe	StartMenuExperienceHost.exe
PID 244 wrote to memory of 3912	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 4032	244	e5755d1.exe	SearchApp.exe
PID 244 wrote to memory of 4084	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 4192	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 3728	244	e5755d1.exe	TextInputHost.exe
PID 244 wrote to memory of 4536	244	e5755d1.exe	backgroundTaskHost.exe
PID 244 wrote to memory of 2264	244	e5755d1.exe	backgroundTaskHost.exe
PID 244 wrote to memory of 1624	244	e5755d1.exe	rundll32.exe
PID 244 wrote to memory of 3376	244	e5755d1.exe	rundll32.exe
PID 244 wrote to memory of 3376	244	e5755d1.exe	rundll32.exe
PID 3376 wrote to memory of 4208	3376	rundll32.exe	e575842.exe
PID 3376 wrote to memory of 4208	3376	rundll32.exe	e575842.exe
PID 3376 wrote to memory of 4208	3376	rundll32.exe	e575842.exe
PID 3376 wrote to memory of 4960	3376	rundll32.exe	e577a12.exe
PID 3376 wrote to memory of 4960	3376	rundll32.exe	e577a12.exe
PID 3376 wrote to memory of 4960	3376	rundll32.exe	e577a12.exe
PID 244 wrote to memory of 768	244	e5755d1.exe	fontdrvhost.exe
PID 244 wrote to memory of 772	244	e5755d1.exe	fontdrvhost.exe
PID 244 wrote to memory of 1016	244	e5755d1.exe	dwm.exe
PID 244 wrote to memory of 2720	244	e5755d1.exe	sihost.exe
PID 244 wrote to memory of 3096	244	e5755d1.exe	svchost.exe
PID 244 wrote to memory of 3184	244	e5755d1.exe	taskhostw.exe
PID 244 wrote to memory of 3388	244	e5755d1.exe	Explorer.EXE
PID 244 wrote to memory of 3552	244	e5755d1.exe	svchost.exe
PID 244 wrote to memory of 3748	244	e5755d1.exe	DllHost.exe
PID 244 wrote to memory of 3848	244	e5755d1.exe	StartMenuExperienceHost.exe
PID 244 wrote to memory of 3912	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 4032	244	e5755d1.exe	SearchApp.exe
PID 244 wrote to memory of 4084	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 4192	244	e5755d1.exe	RuntimeBroker.exe
PID 244 wrote to memory of 3728	244	e5755d1.exe	TextInputHost.exe
PID 244 wrote to memory of 4536	244	e5755d1.exe	backgroundTaskHost.exe
PID 244 wrote to memory of 2264	244	e5755d1.exe	backgroundTaskHost.exe
PID 244 wrote to memory of 4208	244	e5755d1.exe	e575842.exe
PID 244 wrote to memory of 4208	244	e5755d1.exe	e575842.exe
PID 244 wrote to memory of 4960	244	e5755d1.exe	e577a12.exe
PID 244 wrote to memory of 4960	244	e5755d1.exe	e577a12.exe
PID 4960 wrote to memory of 768	4960	e577a12.exe	fontdrvhost.exe
PID 4960 wrote to memory of 772	4960	e577a12.exe	fontdrvhost.exe
PID 4960 wrote to memory of 1016	4960	e577a12.exe	dwm.exe
PID 4960 wrote to memory of 2720	4960	e577a12.exe	sihost.exe
PID 4960 wrote to memory of 3096	4960	e577a12.exe	svchost.exe
PID 4960 wrote to memory of 3184	4960	e577a12.exe	taskhostw.exe
PID 4960 wrote to memory of 3388	4960	e577a12.exe	Explorer.EXE
PID 4960 wrote to memory of 3552	4960	e577a12.exe	svchost.exe
PID 4960 wrote to memory of 3748	4960	e577a12.exe	DllHost.exe
PID 4960 wrote to memory of 3848	4960	e577a12.exe	StartMenuExperienceHost.exe
PID 4960 wrote to memory of 3912	4960	e577a12.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e577a12.exee5755d1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577a12.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5755d1.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3096

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\e5755d1.exe
C:\Users\Admin\AppData\Local\Temp\e5755d1.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:244

C:\Users\Admin\AppData\Local\Temp\e575842.exe
C:\Users\Admin\AppData\Local\Temp\e575842.exe
4⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\e577a12.exe
C:\Users\Admin\AppData\Local\Temp\e577a12.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4192

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3728

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4536

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5755d1.exe
Filesize
97KB

MD5
d883c79d5d158270097407f3a27736a8

SHA1
aa6a2dcdfecac50ca783cb09a8e69bce36f31ee5

SHA256
bf8089541c92c92241a7c364ea46a1de748a1072b2c8ff1a27a64afa16a3225d

SHA512
982e784a42fec5054cf3d75dfa2d937441b5b330f7bec749f4630a600f18c987eb4197a70dd1eca12485f75cb2d325ada51359dfb000cf4a96b163333407ad35

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
0e4766455fc922b6697ed832fac1043e

SHA1
6ce0bf9dd20e88afba125db26ac1e5097e4edcb1

SHA256
c4debe2609087517fcf0d5a987713e5846cfd3a115d326916f119a029a9f0791

SHA512
ab7b208c438eb88549883b11649596a9fb6b12af1483fb190b978e445d5a801f2476064bee09e1f93ca93c15044ed312a2039d4634b434b1e665f9af84aa5a21

Download Submit
memory/244-39-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-72-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-10-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-9-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-18-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-11-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/244-76-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-20-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/244-31-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-81-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/244-32-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/244-6-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-26-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/244-51-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-19-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-17-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-8-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-28-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-41-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-38-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-70-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-40-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-37-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-68-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-35-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/244-66-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-65-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-63-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-61-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/244-60-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/3376-29-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/3376-30-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/3376-21-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/3376-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3376-22-0x00000000007F0000-0x00000000007F2000-memory.dmp

Filesize
8KB

Download
memory/4208-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4208-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4208-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4208-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4208-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4960-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4960-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4960-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4960-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4960-109-0x0000000000BF0000-0x0000000001CAA000-memory.dmp

Filesize
16.7MB

Download
memory/4960-143-0x0000000000BF0000-0x0000000001CAA000-memory.dmp

Filesize
16.7MB

Download
memory/4960-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download