sality | 2d121ea1219cd013d36149a1166995b1e472d9b607a074625240006921990022

Analysis

max time kernel
95s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d121ea1219cd013d36149a1166995b1e472d9b607a074625240006921990022.dll
Size

120KB
MD5

4b88e4c297ba62173831d9663e7b25c6
SHA1

223305e0105b08f7393774b8dc85b90e36b788cc
SHA256

2d121ea1219cd013d36149a1166995b1e472d9b607a074625240006921990022
SHA512

3297d27c2679c67aaf5481fe0e3093023aa59bd1fd362f4b46fbd67973c14399c9fb5d97c2f99b042d73a026d324ad628336337eeb6786791013f580438faf02
SSDEEP

3072:tkJM+dd6zp8AxQxQT5wbzqXKLL1941AQv6SwDj1RvcVV:WZK98PS6EKLh941xv6jDj1Rk

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5933e7.exee58f7e8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e58f7e8.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e58f7e8.exee5933e7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5933e7.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5933e7.exee58f7e8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5933e7.exe

Executes dropped EXE 4 IoCs

Processes:

e58f7e8.exee5933e7.exee593c63.exee593d3e.exe

pid process

1676 e58f7e8.exe
1896 e5933e7.exe
2408 e593c63.exe
3252 e593d3e.exe

pid	process
1676	e58f7e8.exe
1896	e5933e7.exe
2408	e593c63.exe
3252	e593d3e.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1676-7-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-9-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-12-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-11-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-16-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-17-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-18-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-15-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-13-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-10-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-30-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-29-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-31-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-32-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-33-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-35-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-41-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-44-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-60-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-68-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-72-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1676-74-0x0000000000860000-0x000000000191A000-memory.dmp	upx
behavioral2/memory/1896-94-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/1896-97-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/1896-98-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/1896-144-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e58f7e8.exee5933e7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e58f7e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5933e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5933e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5933e7.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e58f7e8.exee5933e7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5933e7.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e58f7e8.exe

description	ioc	process
File opened (read-only)	\??\I:	e58f7e8.exe
File opened (read-only)	\??\J:	e58f7e8.exe
File opened (read-only)	\??\K:	e58f7e8.exe
File opened (read-only)	\??\E:	e58f7e8.exe
File opened (read-only)	\??\G:	e58f7e8.exe
File opened (read-only)	\??\H:	e58f7e8.exe

Drops file in Windows directory 3 IoCs

Processes:

e58f7e8.exee5933e7.exe

description ioc process

File created C:\Windows\e59117b e58f7e8.exe
File opened for modification C:\Windows\SYSTEM.INI e58f7e8.exe
File created C:\Windows\e595b74 e5933e7.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e58f7e8.exe

pid process

1676 e58f7e8.exe
1676 e58f7e8.exe
1676 e58f7e8.exe
1676 e58f7e8.exe

description	ioc	process
File created	C:\Windows\e59117b	e58f7e8.exe
File opened for modification	C:\Windows\SYSTEM.INI	e58f7e8.exe
File created	C:\Windows\e595b74	e5933e7.exe

pid	process
1676	e58f7e8.exe
1676	e58f7e8.exe
1676	e58f7e8.exe
1676	e58f7e8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e58f7e8.exe

description	pid	process
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe
Token: SeDebugPrivilege	1676	e58f7e8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee58f7e8.exe

description	pid	process	target process
PID 4444 wrote to memory of 2780	4444	rundll32.exe	rundll32.exe
PID 4444 wrote to memory of 2780	4444	rundll32.exe	rundll32.exe
PID 4444 wrote to memory of 2780	4444	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1676	2780	rundll32.exe	e58f7e8.exe
PID 2780 wrote to memory of 1676	2780	rundll32.exe	e58f7e8.exe
PID 2780 wrote to memory of 1676	2780	rundll32.exe	e58f7e8.exe
PID 1676 wrote to memory of 800	1676	e58f7e8.exe	fontdrvhost.exe
PID 1676 wrote to memory of 804	1676	e58f7e8.exe	fontdrvhost.exe
PID 1676 wrote to memory of 384	1676	e58f7e8.exe	dwm.exe
PID 1676 wrote to memory of 2432	1676	e58f7e8.exe	sihost.exe
PID 1676 wrote to memory of 2508	1676	e58f7e8.exe	svchost.exe
PID 1676 wrote to memory of 2668	1676	e58f7e8.exe	taskhostw.exe
PID 1676 wrote to memory of 3240	1676	e58f7e8.exe	Explorer.EXE
PID 1676 wrote to memory of 3584	1676	e58f7e8.exe	svchost.exe
PID 1676 wrote to memory of 3776	1676	e58f7e8.exe	DllHost.exe
PID 1676 wrote to memory of 3932	1676	e58f7e8.exe	StartMenuExperienceHost.exe
PID 1676 wrote to memory of 4000	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 4088	1676	e58f7e8.exe	SearchApp.exe
PID 1676 wrote to memory of 4148	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 4556	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 5096	1676	e58f7e8.exe	TextInputHost.exe
PID 1676 wrote to memory of 1360	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 4960	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 2496	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 1900	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 1940	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 816	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 3904	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 4444	1676	e58f7e8.exe	rundll32.exe
PID 1676 wrote to memory of 2780	1676	e58f7e8.exe	rundll32.exe
PID 1676 wrote to memory of 2780	1676	e58f7e8.exe	rundll32.exe
PID 1676 wrote to memory of 4628	1676	e58f7e8.exe	msedge.exe
PID 2780 wrote to memory of 1896	2780	rundll32.exe	e5933e7.exe
PID 2780 wrote to memory of 1896	2780	rundll32.exe	e5933e7.exe
PID 2780 wrote to memory of 1896	2780	rundll32.exe	e5933e7.exe
PID 2780 wrote to memory of 2408	2780	rundll32.exe	e593c63.exe
PID 2780 wrote to memory of 2408	2780	rundll32.exe	e593c63.exe
PID 2780 wrote to memory of 2408	2780	rundll32.exe	e593c63.exe
PID 1676 wrote to memory of 800	1676	e58f7e8.exe	fontdrvhost.exe
PID 1676 wrote to memory of 804	1676	e58f7e8.exe	fontdrvhost.exe
PID 1676 wrote to memory of 384	1676	e58f7e8.exe	dwm.exe
PID 1676 wrote to memory of 2432	1676	e58f7e8.exe	sihost.exe
PID 1676 wrote to memory of 2508	1676	e58f7e8.exe	svchost.exe
PID 1676 wrote to memory of 2668	1676	e58f7e8.exe	taskhostw.exe
PID 1676 wrote to memory of 3240	1676	e58f7e8.exe	Explorer.EXE
PID 1676 wrote to memory of 3584	1676	e58f7e8.exe	svchost.exe
PID 1676 wrote to memory of 3776	1676	e58f7e8.exe	DllHost.exe
PID 1676 wrote to memory of 3932	1676	e58f7e8.exe	StartMenuExperienceHost.exe
PID 1676 wrote to memory of 4000	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 4088	1676	e58f7e8.exe	SearchApp.exe
PID 1676 wrote to memory of 4148	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 4556	1676	e58f7e8.exe	RuntimeBroker.exe
PID 1676 wrote to memory of 5096	1676	e58f7e8.exe	TextInputHost.exe
PID 1676 wrote to memory of 1360	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 4960	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 2496	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 1900	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 1940	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 816	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 3904	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 4444	1676	e58f7e8.exe	rundll32.exe
PID 1676 wrote to memory of 4628	1676	e58f7e8.exe	msedge.exe
PID 1676 wrote to memory of 1896	1676	e58f7e8.exe	e5933e7.exe
PID 1676 wrote to memory of 1896	1676	e58f7e8.exe	e5933e7.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e58f7e8.exee5933e7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e58f7e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5933e7.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3240

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d121ea1219cd013d36149a1166995b1e472d9b607a074625240006921990022.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d121ea1219cd013d36149a1166995b1e472d9b607a074625240006921990022.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\e58f7e8.exe
C:\Users\Admin\AppData\Local\Temp\e58f7e8.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676

C:\Users\Admin\AppData\Local\Temp\e5933e7.exe
C:\Users\Admin\AppData\Local\Temp\e5933e7.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1896

C:\Users\Admin\AppData\Local\Temp\e593c63.exe
C:\Users\Admin\AppData\Local\Temp\e593c63.exe
4⤵
- Executes dropped EXE
PID:2408

C:\Users\Admin\AppData\Local\Temp\e593d3e.exe
C:\Users\Admin\AppData\Local\Temp\e593d3e.exe
4⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4556

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7fff9f0a2e98,0x7fff9f0a2ea4,0x7fff9f0a2eb0
2⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2352 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:2
2⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2388 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:3
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
2⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
2⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1
2⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
2⤵
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e58f7e8.exe
Filesize
97KB

MD5
fadf1edefc937a28fdbda05d9b62fe50

SHA1
dfaad8f3dfcc583019a28440ce9f54a33ec292b5

SHA256
5ee734046ab0e543ef2ee44068a54ef6088368c13e91cfe80ae9b939c281fd48

SHA512
58f7a074e2bfe82b8a40608a888bd8911014566c225821f6a2bdca2889d76a77774a6169260f55029e32f743ddf5934e986239c52d1902fe1027fa638fff38ce

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
e5e3901030f7d98af004f33d64408a5a

SHA1
703ecaef5d0e449cc313f30246baddbcb04607dd

SHA256
2f8222ec9cfb4588e16c170a70768abd279fecc41d32fb0b01ff755061057e54

SHA512
f706c1525d9e3733de93b740e643bc2c2df35a391e6a67daf505d3352add939c32eb1c68f7777ab418eb8857320da95f838d7a208e13d89474fbeeb447c4d7f9

Download Submit
memory/1676-72-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-35-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-12-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-74-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-16-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-17-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-18-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-15-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-13-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-10-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-23-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1676-22-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1676-7-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-81-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1676-44-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-30-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-29-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-31-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-32-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-33-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-68-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-41-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-9-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-11-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1676-24-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1676-60-0x0000000000860000-0x000000000191A000-memory.dmp

Filesize
16.7MB

Download
memory/1896-97-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/1896-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1896-94-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/1896-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1896-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1896-144-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/1896-98-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/1896-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2408-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2408-51-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2408-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2408-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2408-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2780-20-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/2780-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2780-36-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/2780-19-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/2780-42-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/3252-106-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3252-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3252-152-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download