sality | 4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664

Analysis

max time kernel
161s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Size

221KB
MD5

90af628b9c7875599eb32e093310c8b1
SHA1

56163f9470a0880b516a9347335bb61864301274
SHA256

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664
SHA512

30292178bb237ceee8faf3b06250e28b95ee24d91bcf0f5d0509f38a04a87ac7bd609437fb41ca62ed1dadef1a08b0a029b8b3b85d7009239b622db7ffcb47b9

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Disables Task Manager via registry modification
evasion

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1580-130-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral2/memory/1580-132-0x00000000023F0000-0x000000000347E000-memory.dmp	upx
behavioral2/memory/1580-133-0x00000000023F0000-0x000000000347E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Drops file in Program Files directory 11 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Drops file in Windows directory 1 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Modifies registry class 5 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

pid	process
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	pid	process
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
Token: SeDebugPrivilege	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	pid	process	target process
PID 1580 wrote to memory of 772	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 776	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 384	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	dwm.exe
PID 1580 wrote to memory of 2508	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	sihost.exe
PID 1580 wrote to memory of 2528	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 2720	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	taskhostw.exe
PID 1580 wrote to memory of 3132	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	Explorer.EXE
PID 1580 wrote to memory of 3268	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 3460	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	DllHost.exe
PID 1580 wrote to memory of 3572	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	StartMenuExperienceHost.exe
PID 1580 wrote to memory of 3636	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 3724	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	SearchApp.exe
PID 1580 wrote to memory of 3860	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 772	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 776	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 384	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	dwm.exe
PID 1580 wrote to memory of 2508	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	sihost.exe
PID 1580 wrote to memory of 2528	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 2720	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	taskhostw.exe
PID 1580 wrote to memory of 3132	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	Explorer.EXE
PID 1580 wrote to memory of 3268	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 3460	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	DllHost.exe
PID 1580 wrote to memory of 3572	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	StartMenuExperienceHost.exe
PID 1580 wrote to memory of 3636	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 3724	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	SearchApp.exe
PID 1580 wrote to memory of 3860	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 772	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 776	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 384	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	dwm.exe
PID 1580 wrote to memory of 2508	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	sihost.exe
PID 1580 wrote to memory of 2528	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 2720	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	taskhostw.exe
PID 1580 wrote to memory of 3132	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	Explorer.EXE
PID 1580 wrote to memory of 3268	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 3460	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	DllHost.exe
PID 1580 wrote to memory of 3572	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	StartMenuExperienceHost.exe
PID 1580 wrote to memory of 3636	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 3724	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	SearchApp.exe
PID 1580 wrote to memory of 3860	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 772	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 776	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 384	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	dwm.exe
PID 1580 wrote to memory of 2508	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	sihost.exe
PID 1580 wrote to memory of 2528	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 2720	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	taskhostw.exe
PID 1580 wrote to memory of 3132	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	Explorer.EXE
PID 1580 wrote to memory of 3268	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 3460	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	DllHost.exe
PID 1580 wrote to memory of 3572	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	StartMenuExperienceHost.exe
PID 1580 wrote to memory of 3636	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 3724	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	SearchApp.exe
PID 1580 wrote to memory of 3860	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 772	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 776	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	fontdrvhost.exe
PID 1580 wrote to memory of 384	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	dwm.exe
PID 1580 wrote to memory of 2508	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	sihost.exe
PID 1580 wrote to memory of 2528	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 2720	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	taskhostw.exe
PID 1580 wrote to memory of 3132	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	Explorer.EXE
PID 1580 wrote to memory of 3268	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	svchost.exe
PID 1580 wrote to memory of 3460	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	DllHost.exe
PID 1580 wrote to memory of 3572	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	StartMenuExperienceHost.exe
PID 1580 wrote to memory of 3636	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	RuntimeBroker.exe
PID 1580 wrote to memory of 3724	1580	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe	SearchApp.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
"C:\Users\Admin\AppData\Local\Temp\4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe"
1⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3132

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-130-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/1580-131-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-132-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/1580-133-0x00000000023F0000-0x000000000347E000-memory.dmp

Filesize
16.6MB

Download
memory/1580-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download