sality | b97463f78593a0fd37399d13b0ecbad118e21514b2413608c91828f17d223fca

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e56adb9.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572386.exe

Windows security bypass 2 TTPs 18 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e572386.exe

Executes dropped EXE 8 IoCs

pid	Process
1204	e56adb9.exe
4848	e56b192.exe
3908	e572386.exe
5072	e572990.exe
1756	e573ebe.exe
5020	e574120.exe
5016	e57416e.exe
1780	e57419d.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1204-136-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1204-142-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1204-144-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1204-147-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/5044-151-0x0000000004690000-0x000000000574A000-memory.dmp	upx
behavioral2/memory/5044-153-0x0000000004690000-0x000000000574A000-memory.dmp	upx
behavioral2/memory/5044-174-0x0000000004690000-0x000000000574A000-memory.dmp	upx
behavioral2/memory/3908-175-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx
behavioral2/memory/3908-176-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx
behavioral2/memory/3908-177-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 21 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e56adb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e572386.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e572386.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572386.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	e56adb9.exe
File opened (read-only)	\??\F:	e572386.exe
File opened (read-only)	\??\G:	e572386.exe
File opened (read-only)	\??\J:	e572386.exe
File opened (read-only)	\??\G:	e56adb9.exe
File opened (read-only)	\??\M:	e56adb9.exe
File opened (read-only)	\??\N:	e56adb9.exe
File opened (read-only)	\??\Q:	e56adb9.exe
File opened (read-only)	\??\F:	e56adb9.exe
File opened (read-only)	\??\L:	e56adb9.exe
File opened (read-only)	\??\P:	e56adb9.exe
File opened (read-only)	\??\K:	e56adb9.exe
File opened (read-only)	\??\R:	e56adb9.exe
File opened (read-only)	\??\H:	e572386.exe
File opened (read-only)	\??\I:	e572386.exe
File opened (read-only)	\??\E:	e56adb9.exe
File opened (read-only)	\??\I:	e56adb9.exe
File opened (read-only)	\??\J:	e56adb9.exe
File opened (read-only)	\??\H:	e56adb9.exe
File opened (read-only)	\??\S:	e56adb9.exe
File opened (read-only)	\??\E:	e572386.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\e572923	rundll32.exe
File created	C:\Windows\e574f49	e572386.exe
File created	C:\Windows\e56b0c7	e56adb9.exe
File opened for modification	C:\Windows\SYSTEM.INI	e56adb9.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1204	e56adb9.exe
1204	e56adb9.exe
1204	e56adb9.exe
1204	e56adb9.exe
5044	rundll32.exe
5044	rundll32.exe
3908	e572386.exe
3908	e572386.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe
Token: SeDebugPrivilege	1204	e56adb9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 5044	4628	rundll32.exe	83
PID 4628 wrote to memory of 5044	4628	rundll32.exe	83
PID 4628 wrote to memory of 5044	4628	rundll32.exe	83
PID 5044 wrote to memory of 1204	5044	rundll32.exe	84
PID 5044 wrote to memory of 1204	5044	rundll32.exe	84
PID 5044 wrote to memory of 1204	5044	rundll32.exe	84
PID 1204 wrote to memory of 768	1204	e56adb9.exe	81
PID 1204 wrote to memory of 776	1204	e56adb9.exe	80
PID 1204 wrote to memory of 1020	1204	e56adb9.exe	8
PID 1204 wrote to memory of 2808	1204	e56adb9.exe	43
PID 1204 wrote to memory of 2844	1204	e56adb9.exe	42
PID 1204 wrote to memory of 2912	1204	e56adb9.exe	41
PID 1204 wrote to memory of 1124	1204	e56adb9.exe	40
PID 1204 wrote to memory of 3096	1204	e56adb9.exe	39
PID 1204 wrote to memory of 3304	1204	e56adb9.exe	38
PID 1204 wrote to memory of 3400	1204	e56adb9.exe	37
PID 1204 wrote to memory of 3464	1204	e56adb9.exe	13
PID 1204 wrote to memory of 3560	1204	e56adb9.exe	36
PID 1204 wrote to memory of 3764	1204	e56adb9.exe	35
PID 1204 wrote to memory of 4508	1204	e56adb9.exe	24
PID 1204 wrote to memory of 1132	1204	e56adb9.exe	17
PID 1204 wrote to memory of 4116	1204	e56adb9.exe	15
PID 1204 wrote to memory of 4628	1204	e56adb9.exe	82
PID 1204 wrote to memory of 5044	1204	e56adb9.exe	83
PID 1204 wrote to memory of 5044	1204	e56adb9.exe	83
PID 5044 wrote to memory of 4848	5044	rundll32.exe	85
PID 5044 wrote to memory of 4848	5044	rundll32.exe	85
PID 5044 wrote to memory of 4848	5044	rundll32.exe	85
PID 1204 wrote to memory of 768	1204	e56adb9.exe	81
PID 1204 wrote to memory of 776	1204	e56adb9.exe	80
PID 1204 wrote to memory of 1020	1204	e56adb9.exe	8
PID 1204 wrote to memory of 2808	1204	e56adb9.exe	43
PID 1204 wrote to memory of 2844	1204	e56adb9.exe	42
PID 1204 wrote to memory of 2912	1204	e56adb9.exe	41
PID 1204 wrote to memory of 1124	1204	e56adb9.exe	40
PID 1204 wrote to memory of 3096	1204	e56adb9.exe	39
PID 1204 wrote to memory of 3304	1204	e56adb9.exe	38
PID 1204 wrote to memory of 3400	1204	e56adb9.exe	37
PID 1204 wrote to memory of 3464	1204	e56adb9.exe	13
PID 1204 wrote to memory of 3560	1204	e56adb9.exe	36
PID 1204 wrote to memory of 3764	1204	e56adb9.exe	35
PID 1204 wrote to memory of 4508	1204	e56adb9.exe	24
PID 1204 wrote to memory of 1132	1204	e56adb9.exe	17
PID 1204 wrote to memory of 4116	1204	e56adb9.exe	15
PID 1204 wrote to memory of 4628	1204	e56adb9.exe	82
PID 1204 wrote to memory of 4848	1204	e56adb9.exe	85
PID 1204 wrote to memory of 4848	1204	e56adb9.exe	85
PID 5044 wrote to memory of 3908	5044	rundll32.exe	87
PID 5044 wrote to memory of 3908	5044	rundll32.exe	87
PID 5044 wrote to memory of 3908	5044	rundll32.exe	87
PID 5044 wrote to memory of 5072	5044	rundll32.exe	88
PID 5044 wrote to memory of 5072	5044	rundll32.exe	88
PID 5044 wrote to memory of 5072	5044	rundll32.exe	88
PID 5044 wrote to memory of 768	5044	rundll32.exe	81
PID 5044 wrote to memory of 776	5044	rundll32.exe	80
PID 5044 wrote to memory of 1020	5044	rundll32.exe	8
PID 5044 wrote to memory of 2808	5044	rundll32.exe	43
PID 5044 wrote to memory of 2844	5044	rundll32.exe	42
PID 5044 wrote to memory of 2912	5044	rundll32.exe	41
PID 5044 wrote to memory of 1124	5044	rundll32.exe	40
PID 5044 wrote to memory of 3096	5044	rundll32.exe	39
PID 5044 wrote to memory of 3304	5044	rundll32.exe	38
PID 5044 wrote to memory of 3400	5044	rundll32.exe	37
PID 5044 wrote to memory of 3464	5044	rundll32.exe	13

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e56adb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e572386.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1132

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b97463f78593a0fd37399d13b0ecbad118e21514b2413608c91828f17d223fca.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b97463f78593a0fd37399d13b0ecbad118e21514b2413608c91828f17d223fca.dll,#1
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\e56adb9.exe
      C:\Users\Admin\AppData\Local\Temp\e56adb9.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\e56b192.exe
      C:\Users\Admin\AppData\Local\Temp\e56b192.exe
      4⤵
      Executes dropped EXE
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\e572386.exe
      C:\Users\Admin\AppData\Local\Temp\e572386.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      System policy modification
      PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\e572990.exe
      C:\Users\Admin\AppData\Local\Temp\e572990.exe
      4⤵
      Executes dropped EXE
      PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\e573ebe.exe
      C:\Users\Admin\AppData\Local\Temp\e573ebe.exe
      4⤵
      Executes dropped EXE
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\e574120.exe
      C:\Users\Admin\AppData\Local\Temp\e574120.exe
      4⤵
      Executes dropped EXE
      PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\e57416e.exe
      C:\Users\Admin\AppData\Local\Temp\e57416e.exe
      4⤵
      Executes dropped EXE
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\e57419d.exe
      C:\Users\Admin\AppData\Local\Temp\e57419d.exe
      4⤵
      Executes dropped EXE
      PID:1780

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2844

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2808

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry