sality | a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb

Analysis

max time kernel
121s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Size

767KB
MD5

96231ea3e5180858d217f6d07492d54c
SHA1

ecf185fca21c97fface0d2101d06e50a1a42f8e7
SHA256

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb
SHA512

8182b938c2341fbbd65499b8f823731c7fea05e59ad9fe8e5eb145b284c220b911061b3a03e2dc78b2b1d7110b30b575f60331a43062effa6940f9933b5165c1
SSDEEP

12288:X1V4L4PCtGDtlLJgsGoT6gYAMkZ6XlwAcMs+50tgAakT7hs5fDDbbjmh8Q0uRgIe:X1VUQDtlLJg3or6XKAsCIRVbCA92

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Downloads MZ/PE file

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3000-1-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-3-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-7-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-10-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-5-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-11-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-9-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-8-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-6-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-4-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-33-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-35-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-34-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx
behavioral1/memory/3000-36-0x0000000001E00000-0x0000000002EBA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Drops file in Windows directory 2 IoCs

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
File created	C:\Windows\f762368	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = c0e17afd1acbda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000171159f78bcbc542a48f3458f31a9103000000000200000000001066000000010000200000001eb3dfef55486e7ad04f51c37692c3dc7b7e2692d4520560c37d8413f27ad73f000000000e8000000002000020000000289b47c2470464726d82bb643783212dd385adc1d5e839cf9f0268b8271c434520000000ed29e02ca36cc43b0f23e1f5b0634ee46c4c1010c8a79310b1061b4a6221e77640000000a13d78784892973f9d64e61a9fe6b2814c29efee6ff186d2ebf31005bdb370d669b9752baf18f16eaf811a1aeaf6a57a3332ef2795e36373db2220ca1e2df8e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8012550f1bcbda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425933839"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000171159f78bcbc542a48f3458f31a910300000000020000000000106600000001000020000000557ab62460cfd7ea0c0752022c48529e10d5f57e003715dd3b8e9a2d94142644000000000e8000000002000020000000dfda3927885c2af373589370b076d2dfc240022970502f56aaae9796871d2e71900000000bc3400e10dd4700792e6979dbf3c080f00a3ea1d17e249a799a09ed1d0ba92188fa2e0e95dd2b448d985a3b13578a7becf7c289271a7e62d8fb0a4120e3c7fa7ecf144792887e0093ed02756159fd0232ab35901064f30cded5c499edf18c3a96ceb4129a0e1024545d42485abdc1e0a8144da9d8a2dcf9f503b4181977c012a6b2543e25df2bf7b5e62d0c4e3c1bd940000000f7aa68d81de9851ab0fdd26180b7a3f06de3339ca403d2c2d7a99505aedb52a177c653ee92957f0fed26e2b980055dd4aed00704a23b0725412b016ceab2f14b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39763261-370E-11EF-8414-4A4F109F65B0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

pid process

3000 a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

pid	process
3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	pid	process
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
Token: SeDebugPrivilege	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2584 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2584 iexplore.exe
2584 iexplore.exe
2592 IEXPLORE.EXE
2592 IEXPLORE.EXE

pid	process
2584	iexplore.exe

pid	process
2584	iexplore.exe
2584	iexplore.exe
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exeiexplore.exe

description	pid	process	target process
PID 3000 wrote to memory of 1116	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	taskhost.exe
PID 3000 wrote to memory of 1168	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	Dwm.exe
PID 3000 wrote to memory of 1196	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	Explorer.EXE
PID 3000 wrote to memory of 1652	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	DllHost.exe
PID 3000 wrote to memory of 2584	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	iexplore.exe
PID 3000 wrote to memory of 2584	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	iexplore.exe
PID 3000 wrote to memory of 2584	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	iexplore.exe
PID 3000 wrote to memory of 2584	3000	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe	iexplore.exe
PID 2584 wrote to memory of 2592	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2592	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2592	2584	iexplore.exe	IEXPLORE.EXE
PID 2584 wrote to memory of 2592	2584	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe
"C:\Users\Admin\AppData\Local\Temp\a2e3023d37322d8063e0fcf62d4e3bc57e36f97ba394960bcfbcea543b1355fb.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setupbeta.exe
3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ef5757cfb535ef9f2799470fd6970f2d

SHA1
09583680a6444061c582e33a000fd75381a5b8c5

SHA256
03a2d0b4cc1e23f8b77d7e295397060d895eb6061e1d97ff3454d5fc9e930e72

SHA512
9ee1b40358e4ee5a200ccb9e8f7a4d57ab91da63e1b9f28dc8b33b37e7de2e818bb9a0bcca6ec5a6a67045563e2fbb615250dfca335116685ea28da103c9c4b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
50ce88fda960c523bd10a7745c708c30

SHA1
dd0a97b7c1353bb50b446dce2bc1acb03cdf0b5b

SHA256
510da3672f781d04e8cf259a83f4a504279eabd78a20fbf41cec4d09c99edecd

SHA512
90f7ecf9e0ae9e1c677c1cb434afd852a14903c09b51f52a023d1841b7fb8fdef82ecb3b10d77da3a2bc0f61811ae168f4b77b622df5a0cde9b0b175a87df6ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1941d77f3b4a8c7c8dfb6b59abf8ef61

SHA1
5937617f8fcc591fc0d3445b2405ba8822bfd09f

SHA256
55627b1150304223c6be9b29d1c7a0f027c0e6d51240cd765f270d3b8b97577d

SHA512
d66d53f8b21eaee71b86ce8c4ea3a2a98f7bf98981cb8317aa04e72120a133c43cff00dfa43126bbea94f0571caade41cd381b6a505485d273d80e58be3f5be3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
849f8c52569dab544e092cb1a059f116

SHA1
b28698270cd2f822090d6da9ed33fc0a00143851

SHA256
5a64b548980baf2ed4a6a3bbac0bba5fcb7aed7dcecaa28849b92df73c96507c

SHA512
043cc021ac955fc72dcc5762b5ab8611fbec2c2e359a685228a44f2738f3a0752755e26f9caa16cb81cd67fbdbe3260b2c24b047acb5ddc4bd98806710f50ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5a2bc9f716a6a18b4d0116cac7d312e6

SHA1
a537c7cc3ab352bbff991b8f9b61de278ff22eb4

SHA256
431176ced1154f065ddbd27dbf5b3a16943825df51b01221586d1b752c2c18ff

SHA512
1060369c7685fa2b54f37445140a46eddadebdc0023d39132994495a7f052325301bbb8f4f19be44a325adf826a82db4a8aa5f105cd1ba5f3464aaa910c8e1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
51768591f3760d44ee3681a425861a56

SHA1
64184e22a6aedc1025106a1817d17f0869894f36

SHA256
c89cfdcf872851c2337b1a23fc4839c4aa73c117343505377fd308f91c726b96

SHA512
7839b562be1d166032c2402656a5e095ac7e7b0a38b990e508a94b792a5a86f8ad9c20b84d747c24bee407e10f9cbbc834ee11977f756579ba7b9a5e1d74e1ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
43a7e4e7aa31058c3aefd5cccbbf11ff

SHA1
e34f1f90bbda8159f9d6c0c6d17ab8652c0ae8e0

SHA256
324f23df66452c15433e85146f5b0f47e34712be9811e9b091a28eaddf132a6b

SHA512
f2e0206539f13063f3c7362f3324ea9f9fe53c3e72fd696b1d2482d5cf6da482c46f295601c8831b4bab1fdcf538ba78fad57b3930622f27076d6973bdeceec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
45e3969950891eeb8cd129ed0295af4b

SHA1
6eb1af5cfb2b3b7f8bbf3f44d3884b3354c34727

SHA256
fed5916746c02b11a303fb4f502f32bf5a0a47342745e83e725c303118471c9d

SHA512
33d832fb60deeadcb365aa9dd5ac4d36006cd39254c55cc4f67ff6d30809492410fc2d3f8ec07d59063ab930e07be4aa90749e7bda24f6d0a9855e66687534da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d60768e8352ac0d2480103fc203b0571

SHA1
257ddcca43af0f92016320769a8cc9042b593a32

SHA256
37f88080e562c8a2a6516ff56ea437b4dfd84aed6dce57de602c2d97bf1dfbcf

SHA512
358071ef1dfa87d1f5d3fcaba254ce37f029e6ef43a60390c5a73a201d1b71f586739c97a74691dc398ffa9f4856839a4d6bd577e54c02c0f06d91cad92b08c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4c869f011cb72e7f7eb0fc026d5479b3

SHA1
238540caa66b86fa78b3d06b8f994f71af0bd652

SHA256
562fb660312628142fb6417c5e599189892fc5fce1de5a4d2e2f154878167899

SHA512
d77d168f2070858851309e12503108e4091413adf9ad0caea8691a60e0ac80e9858cbce8d0273a66641aeff4237d4a3ddfa416edccd26a13a52a1b576f676f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
60d832d5c6dd830fb0ce5beac706b25f

SHA1
55e749be1ed76e9a48296cc875cc9bf361fcb95f

SHA256
11f505dafa5af181bfea307b51ed034d31feba515e34caecab85888170cb74a8

SHA512
76d01f29e56b83c2932c84684adb8f2c0c13d45124b4a19cb20344c66c3032e897cc1b54191593f95c06912d19b26457165436cde9fc6309f5dc0044fa85ff2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2312ce52a5dda17aa39b2c381e0a7eef

SHA1
b30aeacd8c761ea1b4249e49f0f80bd4519b9775

SHA256
8ad29ca29c0f1c1f303be8b8af7889577f1636a7c997d4d5221b987f24924927

SHA512
62cdef95d726a3763c03c4fba367265c2f515984ec181da4c47b4ec9d90d75998a4679828cd9dc48f8e9bd0757f3eaa89b1628b6b6ad4a605bddec8d1741106f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3e36069851c2cfdecdd3db1a77a027ee

SHA1
01cfd462a7af11d508400e5f26624c114948bcbb

SHA256
3b992e7153ad8d0a9b323197088f47bb27535c56b7b4bf9c62a75185469605a4

SHA512
22503fdcc72fb66d54b49ef07adfa220f4b484ae700a6a04fe19f367d3db059dae430631425b1700be9d0cc0eebac8dcda5c90082f71309d912e05783fce8549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7ad40a93f819a7cd61def781636cc842

SHA1
969f94afbf86bfb4ceabcd150fe2134d9afc088e

SHA256
e82f67d8edd1123e146ccebee1dcdb2f591829f565f73718b2c688a7429abaa1

SHA512
4f33037b6654675143c8c921a1f5f90f9d6457686cc20f56504769e272d66bda902d9e8c3cc795b763a8cc756ab798608d21102d6c50c719a1b49e81f7a295ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
de29a567176a95f74f2df690e1ea7a9c

SHA1
0dc9417e22de8df3b036be92e131436ec5d2b40b

SHA256
0aff2e868eaf8436d183f17624ec5ea1504e454522dcaace0fe219ee70bac6c9

SHA512
9f25914a2eb8783841435536494b52f0666d19e1b8574b0b464a3e93afcc3a3dc4cb7adfd48f5066991037dd11954f337c706617c058fe87bdd313d4fa3d0728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d0129ebee33be6ece7e473af3ecd7879

SHA1
8ca8ed124e5404e7f0ca85bcfa4cf08d55d3532e

SHA256
7858103325f73f3819de2101d90a87db7049d3effaab7394a3376b2c0d2ab12c

SHA512
04261b0035a7aa38bf9db5dfe4842d2ecec5b0235d4455abb83e87f02ef314360a3ebc279a79456e16524573154ade3ee7baabc4f0d9e2d968c35f37bb169796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bf01574f05b9dbd06cf58ecfe1e0bc6c

SHA1
680d43514855fb526c81412be54cdaa2c6c96a98

SHA256
793121e21c1b088fb72e4a77843765a231c0a27ee786bb1c6be5de685d13cb18

SHA512
1e33c9e5671ce84652dbc1e1730b0496dc460a997a81cc7f4e61edf76968fd6f93dec46918ff723e7604d19adaac17d19ce50fc7385c08ef61da5df41b9145c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3de3b33dca23c9ae8caeddecebf6a22a

SHA1
171b9d39a751f1385f7a2a8e0847c75a01d9c291

SHA256
1ef774d2a30334311f87fe18a53d2824bec582e7a2f89c9ed4c88081cf5b385b

SHA512
4a355afc3e43ed68ebd84b27c867ee6c61cd3aec1292818588dc54382547db43382d92cbbb12bb5e6109ace05dcd398eddcebbe97d67a6469fd6f385ef037044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6c2d09c026269c0a2673d27f7d1f39e0

SHA1
973c22ee8491c492b817e2ee007533d88deec8d5

SHA256
5eb1c36afd29e9c91ca239f2abf50cbc8a5ee0b1da556606196fea43632865de

SHA512
615070fcf1a9be6f942b4831cb7e51ee68c26985595c09903b0aef86a92522c085b51a4c1f94f7f205728d8c8439a99c546932b7a4d5236e22541b9ccc9f471a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d04a42f527e671b4ade11e984f475652

SHA1
d1cc42a6753137436f65171695e47f4d192a5cf8

SHA256
83b7549b091940ad8fc672169c12d2f5fda9c5ee65fea2f1069b3d7c6dd2caa8

SHA512
525ad32cc9b71f6f3ce6b4d094cc9ebc85de0b45c4bac09ecbe9995f8af6fcee693730ac47eb0656e53ccc5ad4fd1e9b6264954567577cd20b26cc977c37b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6193.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6294.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1116-12-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/3000-8-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-40-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/3000-36-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-34-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-35-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-33-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-4-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-6-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3000-9-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-11-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-51-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3000-23-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/3000-31-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3000-32-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/3000-24-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3000-5-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-10-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-7-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-3-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download
memory/3000-1-0x0000000001E00000-0x0000000002EBA000-memory.dmp

Filesize
16.7MB

Download