sality | e991aa8b7a3b5a060d4680a36289dbe65ce47e755cd6c68e5ce5cf2b4041eae2

Analysis

max time kernel
25s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e991aa8b7a3b5a060d4680a36289dbe65ce47e755cd6c68e5ce5cf2b4041eae2.dll
Size

120KB
MD5

3bec2c1a7153d7600b986c7ffd45610b
SHA1

0f9c982ec305ae53c5caacf55607f4c2fb8ddb6c
SHA256

e991aa8b7a3b5a060d4680a36289dbe65ce47e755cd6c68e5ce5cf2b4041eae2
SHA512

061a7648171a4aea7afb7f797582da1b59a0d2b62cc2fd51b9bf483c1350dae70df30fc4f002b368dabf89a2ef8ddcff728ba964ab60233bd16ce6c86ece700a
SSDEEP

1536:Xosbjy+z0bCv//ly2F3FAPU3LreYK4qXc0qLnVhL4wJZGSiYExNbu:XhH3yc3LrzK4qXoLL4wJniR

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

f7613de.exef762f3b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7613de.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7613de.exef762f3b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f3b.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f7613de.exef762f3b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7613de.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1196-12-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-14-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-15-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-37-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-42-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-41-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-36-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-43-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-16-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-17-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-60-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-61-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-62-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-64-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-63-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-66-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-67-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-80-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-82-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-84-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/1196-153-0x0000000000700000-0x00000000017BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2680-171-0x0000000000910000-0x00000000019CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2680-209-0x0000000000910000-0x00000000019CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 27 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1196-12-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-14-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-15-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/2892-54-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/1196-37-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-42-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-41-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-36-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-43-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-16-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-17-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-60-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-61-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-62-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-64-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-63-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-66-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-67-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-80-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-82-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-84-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/1196-154-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/1196-153-0x0000000000700000-0x00000000017BA000-memory.dmp	UPX
behavioral1/memory/2892-181-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2680-171-0x0000000000910000-0x00000000019CA000-memory.dmp	UPX
behavioral1/memory/2680-209-0x0000000000910000-0x00000000019CA000-memory.dmp	UPX
behavioral1/memory/2680-208-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

f7613de.exef761555.exef762f3b.exe

pid process

1196 f7613de.exe
2892 f761555.exe
2680 f762f3b.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2416 rundll32.exe
2416 rundll32.exe
2416 rundll32.exe
2416 rundll32.exe
2416 rundll32.exe
2416 rundll32.exe

pid	process
1196	f7613de.exe
2892	f761555.exe
2680	f762f3b.exe

pid	process
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1196-12-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-14-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-15-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-37-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-42-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-41-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-36-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-43-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-16-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-17-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-60-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-61-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-62-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-64-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-63-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-66-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-67-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-80-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-82-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-84-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/1196-153-0x0000000000700000-0x00000000017BA000-memory.dmp	upx
behavioral1/memory/2680-171-0x0000000000910000-0x00000000019CA000-memory.dmp	upx
behavioral1/memory/2680-209-0x0000000000910000-0x00000000019CA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f762f3b.exef7613de.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f762f3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f762f3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f762f3b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f7613de.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f7613de.exef762f3b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f3b.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f7613de.exef762f3b.exe

description	ioc	process
File opened (read-only)	\??\G:	f7613de.exe
File opened (read-only)	\??\H:	f7613de.exe
File opened (read-only)	\??\Q:	f7613de.exe
File opened (read-only)	\??\E:	f762f3b.exe
File opened (read-only)	\??\I:	f7613de.exe
File opened (read-only)	\??\K:	f7613de.exe
File opened (read-only)	\??\O:	f7613de.exe
File opened (read-only)	\??\E:	f7613de.exe
File opened (read-only)	\??\J:	f7613de.exe
File opened (read-only)	\??\L:	f7613de.exe
File opened (read-only)	\??\M:	f7613de.exe
File opened (read-only)	\??\P:	f7613de.exe
File opened (read-only)	\??\R:	f7613de.exe
File opened (read-only)	\??\S:	f7613de.exe
File opened (read-only)	\??\N:	f7613de.exe

Drops file in Windows directory 3 IoCs

Processes:

f7613de.exef762f3b.exe

description ioc process

File created C:\Windows\f76146b f7613de.exe
File opened for modification C:\Windows\SYSTEM.INI f7613de.exe
File created C:\Windows\f766401 f762f3b.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f7613de.exef762f3b.exe

pid process

1196 f7613de.exe
1196 f7613de.exe
2680 f762f3b.exe

description	ioc	process
File created	C:\Windows\f76146b	f7613de.exe
File opened for modification	C:\Windows\SYSTEM.INI	f7613de.exe
File created	C:\Windows\f766401	f762f3b.exe

pid	process
1196	f7613de.exe
1196	f7613de.exe
2680	f762f3b.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

f7613de.exef762f3b.exe

description	pid	process
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	1196	f7613de.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe
Token: SeDebugPrivilege	2680	f762f3b.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exef7613de.exef762f3b.exe

description	pid	process	target process
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2416	2420	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 1196	2416	rundll32.exe	f7613de.exe
PID 2416 wrote to memory of 1196	2416	rundll32.exe	f7613de.exe
PID 2416 wrote to memory of 1196	2416	rundll32.exe	f7613de.exe
PID 2416 wrote to memory of 1196	2416	rundll32.exe	f7613de.exe
PID 1196 wrote to memory of 1108	1196	f7613de.exe	taskhost.exe
PID 1196 wrote to memory of 1172	1196	f7613de.exe	Dwm.exe
PID 1196 wrote to memory of 1200	1196	f7613de.exe	Explorer.EXE
PID 1196 wrote to memory of 2012	1196	f7613de.exe	DllHost.exe
PID 1196 wrote to memory of 2420	1196	f7613de.exe	rundll32.exe
PID 1196 wrote to memory of 2416	1196	f7613de.exe	rundll32.exe
PID 1196 wrote to memory of 2416	1196	f7613de.exe	rundll32.exe
PID 2416 wrote to memory of 2892	2416	rundll32.exe	f761555.exe
PID 2416 wrote to memory of 2892	2416	rundll32.exe	f761555.exe
PID 2416 wrote to memory of 2892	2416	rundll32.exe	f761555.exe
PID 2416 wrote to memory of 2892	2416	rundll32.exe	f761555.exe
PID 2416 wrote to memory of 2680	2416	rundll32.exe	f762f3b.exe
PID 2416 wrote to memory of 2680	2416	rundll32.exe	f762f3b.exe
PID 2416 wrote to memory of 2680	2416	rundll32.exe	f762f3b.exe
PID 2416 wrote to memory of 2680	2416	rundll32.exe	f762f3b.exe
PID 1196 wrote to memory of 1108	1196	f7613de.exe	taskhost.exe
PID 1196 wrote to memory of 1172	1196	f7613de.exe	Dwm.exe
PID 1196 wrote to memory of 1200	1196	f7613de.exe	Explorer.EXE
PID 1196 wrote to memory of 2892	1196	f7613de.exe	f761555.exe
PID 1196 wrote to memory of 2892	1196	f7613de.exe	f761555.exe
PID 1196 wrote to memory of 2680	1196	f7613de.exe	f762f3b.exe
PID 1196 wrote to memory of 2680	1196	f7613de.exe	f762f3b.exe
PID 2680 wrote to memory of 1108	2680	f762f3b.exe	taskhost.exe
PID 2680 wrote to memory of 1172	2680	f762f3b.exe	Dwm.exe
PID 2680 wrote to memory of 1200	2680	f762f3b.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f7613de.exef762f3b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f7613de.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f762f3b.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e991aa8b7a3b5a060d4680a36289dbe65ce47e755cd6c68e5ce5cf2b4041eae2.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e991aa8b7a3b5a060d4680a36289dbe65ce47e755cd6c68e5ce5cf2b4041eae2.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\f7613de.exe
C:\Users\Admin\AppData\Local\Temp\f7613de.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196

C:\Users\Admin\AppData\Local\Temp\f761555.exe
C:\Users\Admin\AppData\Local\Temp\f761555.exe
4⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\f762f3b.exe
C:\Users\Admin\AppData\Local\Temp\f762f3b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2012

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f7613de.exe
Filesize
97KB

MD5
07c7fb10d83f0f18928da8c9c5d7a670

SHA1
c6423ec06a61efd893136d0c469c178e3e2d0e86

SHA256
dcc43788f62475aa9d7ed21a3d128045c73dbbeddc91d46077b864294469db39

SHA512
41d086c41a9571f637e64f48b353ffcd40ad86e812f78b2662371b4b1a99fecc38eb16d439ae9f4f2c024268ac01b62506fb902dad76a7bc871e0212b0d95f5f

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
dc62510bd435e76c8e0b6ec722558c90

SHA1
fead9fb201bc93d7049ebc6f714674319401e6aa

SHA256
440fff8c561bbcdc95ae60362b233be1b09b67b6935fd450e924d5063921582f

SHA512
457f5b76b2b0a5cb5a6395632c707c00dc742e939ed51372fc922d21a3c777182bef5894fa621b44721bc86a608f264fcd55ba96d5afac30316f8d022df59418

Download Submit
memory/1108-18-0x00000000020F0000-0x00000000020F2000-memory.dmp

Filesize
8KB

Download
memory/1196-60-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-153-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-14-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-15-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-61-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-113-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/1196-40-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/1196-37-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-42-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-41-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-36-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-43-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-84-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-62-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-38-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/1196-17-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-35-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1196-80-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-67-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-66-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-16-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-12-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-82-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-64-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/1196-63-0x0000000000700000-0x00000000017BA000-memory.dmp

Filesize
16.7MB

Download
memory/2416-26-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2416-27-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2416-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2416-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2416-52-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2416-39-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2416-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2416-51-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2416-76-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2680-208-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2680-106-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2680-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2680-102-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2680-171-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2680-209-0x0000000000910000-0x00000000019CA000-memory.dmp

Filesize
16.7MB

Download
memory/2680-105-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2892-104-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2892-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2892-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2892-93-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2892-181-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads