sality | 087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7

Analysis

max time kernel
134s
max time network
83s
platform
windows10_x64
resource
win10v200722
submitted
30-07-2020 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Size

1.1MB
MD5

9940b1d4284582df2342b9c394b34d20
SHA1

ffe310f517cc7e6e7dc6ca10007338b2c1d09f66
SHA256

087df168d78dcfd730fb669aad4b848c054f08cbab3c722c87a0be0aa5c598a7
SHA512

b578d6c3a27f56d85ddeadcc8f96a40c3aa4c64684d9d0451769233997c2d0c0521ec7497d63d2da2686b227a9e6714492f1f6dc5ea2b280d08bf27608f491dd

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
412	SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3060-0-0x0000000002300000-0x000000000338E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\P:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\V:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\U:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\W:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\Y:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\Z:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\E:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\H:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\R:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\L:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\N:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\O:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\Q:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\T:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\F:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\G:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\I:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\X:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\J:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\M:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
File opened (read-only)	\??\S:	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
Token: SeDebugPrivilege	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 412	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	66
PID 3060 wrote to memory of 412	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	66
PID 3060 wrote to memory of 412	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	66
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44
PID 3060 wrote to memory of 2304	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	45
PID 3060 wrote to memory of 2680	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	55
PID 3060 wrote to memory of 2960	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	56
PID 3060 wrote to memory of 3184	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	57
PID 3060 wrote to memory of 3192	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	58
PID 3060 wrote to memory of 3372	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	59
PID 3060 wrote to memory of 3636	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	60
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44
PID 3060 wrote to memory of 2304	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	45
PID 3060 wrote to memory of 2680	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	55
PID 3060 wrote to memory of 2960	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	56
PID 3060 wrote to memory of 3184	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	57
PID 3060 wrote to memory of 3192	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	58
PID 3060 wrote to memory of 3372	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	59
PID 3060 wrote to memory of 3636	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	60
PID 3060 wrote to memory of 412	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	66
PID 3060 wrote to memory of 412	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	66
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44
PID 3060 wrote to memory of 2304	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	45
PID 3060 wrote to memory of 2680	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	55
PID 3060 wrote to memory of 2960	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	56
PID 3060 wrote to memory of 3184	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	57
PID 3060 wrote to memory of 3192	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	58
PID 3060 wrote to memory of 3372	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	59
PID 3060 wrote to memory of 3636	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	60
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44
PID 3060 wrote to memory of 2304	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	45
PID 3060 wrote to memory of 2680	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	55
PID 3060 wrote to memory of 2960	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	56
PID 3060 wrote to memory of 3184	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	57
PID 3060 wrote to memory of 3192	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	58
PID 3060 wrote to memory of 3372	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	59
PID 3060 wrote to memory of 3636	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	60
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44
PID 3060 wrote to memory of 2304	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	45
PID 3060 wrote to memory of 2680	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	55
PID 3060 wrote to memory of 2960	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	56
PID 3060 wrote to memory of 3184	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	57
PID 3060 wrote to memory of 3192	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	58
PID 3060 wrote to memory of 3372	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	59
PID 3060 wrote to memory of 3636	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	60
PID 3060 wrote to memory of 728	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	9
PID 3060 wrote to memory of 736	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	10
PID 3060 wrote to memory of 984	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	14
PID 3060 wrote to memory of 2296	3060	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe	44

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SecuriteInfo.com.Win32.Sector.30.16924.15564.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:728

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:736

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:984

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2304

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"
  2⤵
  - Modifies firewall policy service
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\is-KSG0B.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KSG0B.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp" /SL5="$6006A,805193,53248,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Sector.30.16924.15564.exe"
    3⤵
    - Executes dropped EXE
    PID:412

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3184

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KSG0B.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KSG0B.tmp\SecuriteInfo.com.Win32.Sector.30.16924.15564.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
memory/3060-0-0x0000000002300000-0x000000000338E000-memory.dmp

Filesize
16.6MB

Download