sality | 0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll
Size

120KB
MD5

96a281d0811589bbfd15fffb6b24779c
SHA1

2632489eb13cd8ba4e55b850ffa6cec6275ad2c5
SHA256

0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320
SHA512

9380488aad0c507bc0197470674a5618b4a0d14f7dd2e214ab0162a7d22c56c300fab74ab3d840c49405eaf18bd65f416078c1bb1a22feb6ea513f769b3f9ed7
SSDEEP

1536:kj8cBPBdFbMA0V8CVQ7H6qmEaskkSkwTBR3K4mR6ouqb2ouOLmelowvrD:Y0ViaqEscDTLLLouqCoaQz

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f761a92.exef76360e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f761a92.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76360e.exef761a92.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761a92.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76360e.exef761a92.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76360e.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-12-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-14-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-15-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-16-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-17-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-19-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-20-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-21-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-18-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-22-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-63-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-64-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-65-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-66-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-67-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-69-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-70-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-84-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-87-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-88-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-106-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2044-157-0x0000000000520000-0x00000000015DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2480-163-0x0000000000A60000-0x0000000001B1A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2480-211-0x0000000000A60000-0x0000000001B1A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 28 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-12-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-14-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-15-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-16-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-17-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-19-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-20-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-21-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2716-62-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2044-18-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-22-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-63-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-64-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-65-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-66-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-67-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-69-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-70-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-84-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-87-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-88-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-106-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2044-156-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2044-157-0x0000000000520000-0x00000000015DA000-memory.dmp	UPX
behavioral1/memory/2716-161-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2480-163-0x0000000000A60000-0x0000000001B1A000-memory.dmp	UPX
behavioral1/memory/2480-212-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2480-211-0x0000000000A60000-0x0000000001B1A000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

f761a92.exef761c95.exef76360e.exe

pid process

2044 f761a92.exe
2716 f761c95.exe
2480 f76360e.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe
3024 rundll32.exe

pid	process
2044	f761a92.exe
2716	f761c95.exe
2480	f76360e.exe

pid	process
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-12-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-14-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-15-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-16-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-17-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-19-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-20-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-21-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-18-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-22-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-63-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-64-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-65-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-66-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-67-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-69-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-70-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-84-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-87-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-88-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-106-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2044-157-0x0000000000520000-0x00000000015DA000-memory.dmp	upx
behavioral1/memory/2480-163-0x0000000000A60000-0x0000000001B1A000-memory.dmp	upx
behavioral1/memory/2480-211-0x0000000000A60000-0x0000000001B1A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f761a92.exef76360e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f761a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f761a92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76360e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f761a92.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f761a92.exef76360e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76360e.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f761a92.exef76360e.exe

description	ioc	process
File opened (read-only)	\??\S:	f761a92.exe
File opened (read-only)	\??\J:	f761a92.exe
File opened (read-only)	\??\P:	f761a92.exe
File opened (read-only)	\??\Q:	f761a92.exe
File opened (read-only)	\??\R:	f761a92.exe
File opened (read-only)	\??\G:	f76360e.exe
File opened (read-only)	\??\H:	f761a92.exe
File opened (read-only)	\??\M:	f761a92.exe
File opened (read-only)	\??\N:	f761a92.exe
File opened (read-only)	\??\T:	f761a92.exe
File opened (read-only)	\??\G:	f761a92.exe
File opened (read-only)	\??\K:	f761a92.exe
File opened (read-only)	\??\L:	f761a92.exe
File opened (read-only)	\??\E:	f761a92.exe
File opened (read-only)	\??\I:	f761a92.exe
File opened (read-only)	\??\O:	f761a92.exe
File opened (read-only)	\??\E:	f76360e.exe

Drops file in Windows directory 3 IoCs

Processes:

f761a92.exef76360e.exe

description ioc process

File created C:\Windows\f761b1f f761a92.exe
File opened for modification C:\Windows\SYSTEM.INI f761a92.exe
File created C:\Windows\f766b9f f76360e.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f761a92.exef76360e.exe

pid process

2044 f761a92.exe
2044 f761a92.exe
2480 f76360e.exe

description	ioc	process
File created	C:\Windows\f761b1f	f761a92.exe
File opened for modification	C:\Windows\SYSTEM.INI	f761a92.exe
File created	C:\Windows\f766b9f	f76360e.exe

pid	process
2044	f761a92.exe
2044	f761a92.exe
2480	f76360e.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f761a92.exef76360e.exe

description	pid	process
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2044	f761a92.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe
Token: SeDebugPrivilege	2480	f76360e.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef761a92.exef76360e.exe

description	pid	process	target process
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 3024	1848	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 2044	3024	rundll32.exe	f761a92.exe
PID 3024 wrote to memory of 2044	3024	rundll32.exe	f761a92.exe
PID 3024 wrote to memory of 2044	3024	rundll32.exe	f761a92.exe
PID 3024 wrote to memory of 2044	3024	rundll32.exe	f761a92.exe
PID 2044 wrote to memory of 1260	2044	f761a92.exe	taskhost.exe
PID 2044 wrote to memory of 1332	2044	f761a92.exe	Dwm.exe
PID 2044 wrote to memory of 1368	2044	f761a92.exe	Explorer.EXE
PID 2044 wrote to memory of 2200	2044	f761a92.exe	DllHost.exe
PID 2044 wrote to memory of 1848	2044	f761a92.exe	rundll32.exe
PID 2044 wrote to memory of 3024	2044	f761a92.exe	rundll32.exe
PID 2044 wrote to memory of 3024	2044	f761a92.exe	rundll32.exe
PID 3024 wrote to memory of 2716	3024	rundll32.exe	f761c95.exe
PID 3024 wrote to memory of 2716	3024	rundll32.exe	f761c95.exe
PID 3024 wrote to memory of 2716	3024	rundll32.exe	f761c95.exe
PID 3024 wrote to memory of 2716	3024	rundll32.exe	f761c95.exe
PID 3024 wrote to memory of 2480	3024	rundll32.exe	f76360e.exe
PID 3024 wrote to memory of 2480	3024	rundll32.exe	f76360e.exe
PID 3024 wrote to memory of 2480	3024	rundll32.exe	f76360e.exe
PID 3024 wrote to memory of 2480	3024	rundll32.exe	f76360e.exe
PID 2044 wrote to memory of 1260	2044	f761a92.exe	taskhost.exe
PID 2044 wrote to memory of 1332	2044	f761a92.exe	Dwm.exe
PID 2044 wrote to memory of 1368	2044	f761a92.exe	Explorer.EXE
PID 2044 wrote to memory of 2716	2044	f761a92.exe	f761c95.exe
PID 2044 wrote to memory of 2716	2044	f761a92.exe	f761c95.exe
PID 2044 wrote to memory of 2480	2044	f761a92.exe	f76360e.exe
PID 2044 wrote to memory of 2480	2044	f761a92.exe	f76360e.exe
PID 2480 wrote to memory of 1260	2480	f76360e.exe	taskhost.exe
PID 2480 wrote to memory of 1332	2480	f76360e.exe	Dwm.exe
PID 2480 wrote to memory of 1368	2480	f76360e.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f761a92.exef76360e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f761a92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76360e.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\f761a92.exe
C:\Users\Admin\AppData\Local\Temp\f761a92.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044

C:\Users\Admin\AppData\Local\Temp\f761c95.exe
C:\Users\Admin\AppData\Local\Temp\f761c95.exe
4⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\f76360e.exe
C:\Users\Admin\AppData\Local\Temp\f76360e.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM.INI
Filesize
256B

MD5
b1d4ed3ebf21f2a151763208dba2695b

SHA1
7a0286e95bf30463567e1906a78221c63a1fec16

SHA256
f94074bde83a3eb601615882153ae048a0ceac173be49c92bee508a858e9877f

SHA512
93e65f71191c345db1429343844282bb73f3fbc77b898a53a5b59b4adbec6e465a1274b481fa8f18e8ac5f6f8e5d6ef7e1bd6a69364d37d46b225642a2d1b19d

Download Submit
\Users\Admin\AppData\Local\Temp\f761a92.exe
Filesize
97KB

MD5
b5c37da37abe66eb03c6c946d13078d0

SHA1
fc7592c5b105b7c057237c5f74298b4416beee51

SHA256
581b137c4f2507eb33579b2f1a526a8c70bed083cb950424d36a8a6b4d2700c0

SHA512
b5ffcd9a3fc9851e666907707bfffa7770b479b5ea31060a7e0c25dada8b7248151679274ff7c1f851b120a0c10f92a13362012e5dda7ddaa2cf434420c395b0

Download Submit
memory/1260-28-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2044-63-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-17-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-12-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-14-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-15-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-16-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-64-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-19-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-20-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-87-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-21-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-49-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

Filesize
8KB

Download
memory/2044-47-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2044-65-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2044-88-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-157-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-18-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-156-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2044-122-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

Filesize
8KB

Download
memory/2044-106-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-70-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-69-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-56-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

Filesize
8KB

Download
memory/2044-22-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-84-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-67-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2044-66-0x0000000000520000-0x00000000015DA000-memory.dmp

Filesize
16.7MB

Download
memory/2480-212-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2480-104-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2480-108-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2480-163-0x0000000000A60000-0x0000000001B1A000-memory.dmp

Filesize
16.7MB

Download
memory/2480-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2480-211-0x0000000000A60000-0x0000000001B1A000-memory.dmp

Filesize
16.7MB

Download
memory/2716-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-107-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2716-161-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2716-99-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2716-98-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3024-60-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/3024-58-0x0000000001D60000-0x0000000001D72000-memory.dmp

Filesize
72KB

Download
memory/3024-57-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/3024-59-0x0000000001D60000-0x0000000001D72000-memory.dmp

Filesize
72KB

Download
memory/3024-79-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/3024-10-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/3024-9-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/3024-82-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/3024-37-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3024-8-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3024-46-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3024-36-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads