sality | c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0

Analysis

max time kernel
129s
max time network
145s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Size

517KB
MD5

6942ea3163e7c6550851a4ad271c3e63
SHA1

b4d303b91216a15877a8705b308be87f14f857b1
SHA256

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0
SHA512

ddcade42eaaba8172a079d0011a5f5b9d432a31c8eb6eee4bf13a9b377b8a4ac23e0683b1b6d5f73ed3db018e603e17797b60417681a791fe5ef0128b3a9c231
SSDEEP

12288:SMsi9TgKPChl3iYOAkycjo+Zgo2WMuNrf9/:SQgKtYLtc4Sf9/

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Downloads MZ/PE file

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2344-9-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-5-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-6-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-7-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-11-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-31-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-4-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-3-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-10-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-8-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-35-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-36-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-37-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-38-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx
behavioral1/memory/2344-42-0x0000000001EF0000-0x0000000002FAA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Drops file in Windows directory 2 IoCs

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
File created	C:\Windows\f7611ad	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
File opened for modification	C:\Windows\SYSTEM.INI	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 50652f2ceec9da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{684E6A91-35E1-11EF-90EB-D671A15513D2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000e33e2cad5f25aff7af7d225c5a9c83ee4f62bdf7063b979067e2142d84066669000000000e8000000002000020000000d127532b3f6367079e9bb11bf1170443946545711070bf5edeaca75f7d08ae3520000000da254bb21cecf6b8e242bf27670c7b6e9b4f06cb171170e5f5e84ba928a66e184000000079e2977d46b7ff9fcb1e2c318c372508417e6226699af9d9f3bab71c62380b195427e5d86530ba82995692b251e8236f4b554c8d0b2c84688d28b44c679d276a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000003a4f6bc42faa6cf1c3a918a33fa97908b9b113adc1ccaf8f22c8b02febeb0f60000000000e8000000002000020000000f977c6ab6c156012a222836dc8d525c89476b8df4631385c355874da54f7f7a69000000065edfe59bf9a8fadd97fb4ffea8e634007927c7f910f68a656239d9a91ee33727ba629bcd8082c9dbea118b8b5be99365a19a9e61b299aaeabadac0c4f84db21b8f9c3c348677a582264b06da1c6a7b905e64b93f9851b6a449e456f5930aa4d8e3ff78d2a6d7b587b42cf75a5c88cd10524ca8c5de6feacee294b62fd16b76fe5667460d3faa62f8e164f2fdffd3dd140000000f45dfc3646ec5426cdcddc7fa0fe6d865d3d827d75e8e302b8f98bd13ebc3a28f8d42e342592f67be1c1cdd1f638711e990759120bef5d74a540e3595b35931c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425804640"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0600e3eeec9da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

pid process

2344 c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

pid	process
2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	pid	process
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
Token: SeDebugPrivilege	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2676 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2676 iexplore.exe
2676 iexplore.exe
2488 IEXPLORE.EXE
2488 IEXPLORE.EXE

pid	process
2676	iexplore.exe

pid	process
2676	iexplore.exe
2676	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exeiexplore.exe

description	pid	process	target process
PID 2344 wrote to memory of 1136	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	taskhost.exe
PID 2344 wrote to memory of 1224	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	Dwm.exe
PID 2344 wrote to memory of 1264	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	Explorer.EXE
PID 2344 wrote to memory of 948	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	DllHost.exe
PID 2344 wrote to memory of 2676	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	iexplore.exe
PID 2344 wrote to memory of 2676	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	iexplore.exe
PID 2344 wrote to memory of 2676	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	iexplore.exe
PID 2344 wrote to memory of 2676	2344	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe	iexplore.exe
PID 2676 wrote to memory of 2488	2676	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 2488	2676	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 2488	2676	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 2488	2676	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe
"C:\Users\Admin\AppData\Local\Temp\c52fe6f7d0e4bef009af7eecfbc46490196fdb47146a55d7cb8f57e245b2f8b0.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setupbeta.exe
3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
af176586fc002136d873c60afc45837c

SHA1
cf0288886d9c9a8e3ab743b22082a0443083bbdf

SHA256
6edb9153518b4ad994e2bdd3ca670a5032157f5fd42e7b3b4e0c799ef1836c1e

SHA512
93b702425784a708f5c7ccfad6f7594275c8be2bfaf099a5548aac5209419b240ad429933097d4d3c7e7436f1ccc1133fcb55fa32de9b74175f60f6a95600b86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fca70b894e1241b7d711694d75ea800e

SHA1
a0b3a148d042c27710a4dffa669218fb477a4aa8

SHA256
be411bd0bafb9f96fd5a04881a528037e52f172b829209ab18e39ab45375149d

SHA512
78a877c327b5fc331dc6a20ab5d1286099eb752a6e494c5e371168e6d0e1de23687c31045af684575095fe4ccb8d3fcee82077d7c1bafb8c6164927429070ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dfd3890ecc6134fa524ef8bd1b6975fb

SHA1
53372d94864b0a6e713457346fc456fdae4ffcf9

SHA256
ad4796a51634c14c519893170a7e9281c600c5d87303be7704be77d17e94d9f9

SHA512
cf19c9f018f65feffa87e9327ca2c97893ae7e4efd13f39d41ac2910fc43c742116f2c53defffc972f2bf261ee338df790ea18871efeb20f7a66d4ea0646d8a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fc877ca603e18fdefa85abdcb48ba999

SHA1
fa5d00ad0da82e1288fe93af23e382d5c995181f

SHA256
848033fd8abc4c4b7f50740012d863286e82ed08151b954d7a488cf7db96ba19

SHA512
cecdcded69279956b1e2e002ce8a9e6707bc5e014811809343be6c4776b22afe3ef763fcfe5c800c5ef8c5d54b54fbc09e55ff6110a7e6c79acc76beb769157c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3bb3d663190ad1883e2a252f73bb80b0

SHA1
e061381663314b3f91a8c68b6e2f345f09fecb52

SHA256
d6af58617fe4286a9c93da17bf644211a9e6ee316514651becabf0a592716d5a

SHA512
2e2dd7a9cce4df17889ead4ea7055288f0820cdc053435cb9d5038a09b12197cbdd7e6c6594c9c682216f8893bdc586b4a61082285bb37a01010f6a0d6b7362f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4ec2e1791a62720387fa3b42219024f3

SHA1
0d42b14db50166841b0c1af3f81625d2034a4d44

SHA256
a11a729e6e9817d14d721fcb6c1f1d007de21b41949072500120218c350c3758

SHA512
a94a930abb06ef02bb4d3a20c5acce1d108de375a034a3707d9c8f39fbe3cfbd6ab7564356338768d68ee375ce6476d63d24f4f0ad394d2752ee03834fa7293c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
911e98832e9f918d6049d4c3bff1e851

SHA1
7d0ea9aadb20740742ea03cffe90eaef856455e6

SHA256
a98e04cb6eab195d5fedeb0975a4854e99cb04f0786e8010b7c36b5343ae8f6c

SHA512
408897f3149f2e87ea0a0d5ed2cd5ba09a904738a94afac253b26455162e40a688d5faebc5beaa47743cbcb03712c785380469e3b22536cba60d4a013592f907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a6e60a7fa4fdaee5a8682629fc43c562

SHA1
05140d6823881da1cf7acc31626b41cfe48bee87

SHA256
557badfb4fac4548516e17d0e30830fde3e6f0659910bdda781d3ab3ad36cf67

SHA512
bf7bdddf0f0b2697105ef724486093858fd56a3d3cf5becc31094d86f02e361fd4f61f3d3c88055303c7fe85ed1412ea910c0b3a6c6ff9e024c99b3d8726d743

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
78057638502855f7fc77dc36d691e147

SHA1
e0696a588cf8dd2e436fee8dd6f545cfb80e777c

SHA256
d04de7cf029bfd54ea2ef503468b0bb328fab2cbbca049b33c6c69f39a8680ce

SHA512
8597c9736281684809320b12e521f91766d5be32d981653185f35c5cbe259eb00bca2c3afd753eef5704309ff478281a5f6b84bac17611eb184e2d1d50726058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b08e015418bb051db34596087c5527e9

SHA1
d19f1f7438b78ce04c04d713402cb7746b9470fa

SHA256
a4d4d34aeed55a52e01a3e9766fc74b349b04fef18be11f912a46f3ba676eead

SHA512
ace37e62943f36e375446e74c75951d58f6733cc10cefccf429787cc69612beaefa6b997cf56d986ad84ce73b267fc281569ccb2fcdbbaae993c3a9b2524e0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9d0cc5e80a7ca89a29cf25f07f60fed5

SHA1
b3a9766761f286aa472fc19d0fa314cc0b31fabd

SHA256
1c130cb0cee2a3adf43dae678b4e68a97c9499e2a5664d36d6fcbc4d1abf36b9

SHA512
afc0dc8b829f1c804f9e622fdbb33c4a19c6c3508a629b604d873eed19896e319d0e3257a939f86577c64a32fa6f364a52d93955211787f54da388023115be3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1be88abad7510e35dae374a8057e99f0

SHA1
568f0277f86dba27df8153fdefe5625d14e7227c

SHA256
60dd634b237c52f54d41c0a32b8b101f5dfa3394387a90d9cfe90055d34c9bb2

SHA512
1f46a872f50eba67cdc7363f4ab0610bd2b4f265bf08d66e64b934041182c4529ab934e465ce23fbc7627185587b0b75a91aac31e0386f88f5fc695035cd6fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5d400bae9958dacaa2f9de906da00d9e

SHA1
24fa035e5960a09e8a15bd8cf2cbc7ebde3f1799

SHA256
3ce91c5644df4e09130f31dbbbb47a3e1f19a0c5ad7dc7cd3a84224b68c7e264

SHA512
d24450d001dc4c4618749905717524e0b4c157dd55c04edf27070b0a0b57b797eebcce0a21de00ce23b09a053efc93321a181953825f07ee416829963664aa66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
96fcb9ad4d7c46d10c2ae2258fc97303

SHA1
7bc36ec2c774cc6719ba0b5baf106673d9661ff7

SHA256
6d77154266b43a3ca1d7c0bd95e4b15ffd9123b626f7663415e21bb58cf5fbe3

SHA512
74e06ef471535cce367d0fa72403fb929663d267927e093bda2ea0241bcbcbc07f23cc525a0196d51d8ac2b52edbaf5ea57798d9b47be568f139d4f262d87b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7805357b8750bac4bc001e2340607b34

SHA1
abc7f995b4c7759edb711e3b16e7de9cab2ca52f

SHA256
c6d7d0fdc0630597ee57c85e0f6e6c998be98ba5146ad66460c5e4fe5ea6a6bc

SHA512
07c3ef8dfabc89af3fb6dbeb0c5f3b5b8ce80a25481e52e214fc68c3caddd90b84977c188f1d1cbc5c27fdeaa31c0eee82e6e9bfca56b6947060678d11cded77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d6d3011b4974e9805c67d9c435e0b9dd

SHA1
dda750d01b0d97af1dd128d82f411ca7c23464bf

SHA256
046f22d91ce828bf22df0e9b0ccf4a6ec8ceffd13188868e6268ec8da3af03f8

SHA512
48451e2500f8f2c41465f18014fccaa8dd7d70df3ce3b71482a1d64ed4a00c5eae05ad4e60ca275d65c77ba6844c9adc62127bbe5f75bc985815199b1f212a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
62a8f052e5dd8e7711d42424f79b25e0

SHA1
2c76782f6b8e7cfe441598219b71b567db302592

SHA256
58491a6d8fb7b683bd7f7e02bf8638c273bce173817e0f75164c3840af7463d8

SHA512
e9a19d05b51c2668c053fb2ee7d9dd07f1ca23b4937f68112210633187949d1c1a87f14690d9a18f1d69abad9b419f4521edf745dcbfdac08f5c325acdb513b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0bc7d557e47d7e37a4b8e30100ad3089

SHA1
5fd15c551ee486365e83f9cc6113661ceea91652

SHA256
172a1c56313209c39b47bd9004db46a5c9236fe9cfb4120352341f474721f022

SHA512
daf94154e34facc5b4845d1ece969c98d45444f6520a2c1a89874567403c768bfad88ae64b3db1685c3c5954a1ed6f259408b1f79a4414c9b660b60a19e48b05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b0ec49fd01df72f84056edf87021b96

SHA1
f275bb1b5062d3b8b67cecef3e20cb23691ca13c

SHA256
210e871b50efb96df8716f7fdec286fddea49691cb07a1ea4485aab3baec7097

SHA512
a7ec381cdbc873c7014ff30a471264c3b18d47d62d93abb7768ef128f79fe1725dc35642a57cb05712c95ddfc7b35d726a0e3695ea9ff972c0e6d74e725668fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab53EB.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar54AF.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
memory/1136-12-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/2344-4-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-22-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/2344-42-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2344-38-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-37-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-36-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-35-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-8-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-10-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-3-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-41-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/2344-23-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2344-31-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-32-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2344-33-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/2344-11-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-34-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/2344-7-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-6-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-5-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download
memory/2344-9-0x0000000001EF0000-0x0000000002FAA000-memory.dmp

Filesize
16.7MB

Download