sality | ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f

General

Target

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Size

170KB
MD5

43c5487e528ec3952a7d429b1a37a1e6
SHA1

73cb91e30a1ebeabd209916f5337ff65d9f6286d
SHA256

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f
SHA512

bf41b7d04ecac05e3624306e315239166b5004126c50b7fc5c83d6cb68f25588fc9cf82f0f7c3ba3efc68f6a44c24ba12872e5f5b93580ddf92579a090e47224
SSDEEP

3072:ivsp2z4JMWLaMrGcDzINDVpVHvsyRnoYmp25L7qouIWm4w+sCF8uzdW5dMSX:ivuoeycD+HvsAoYmp2ju44w+N8WdWjlX

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Au_.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

4244 Au_.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3060 netsh.exe
4628 netsh.exe

pid	process
4244	Au_.exe

pid	process
3060	netsh.exe
4628	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4384-132-0x0000000002360000-0x0000000003393000-memory.dmp	upx
behavioral2/memory/4384-140-0x0000000002360000-0x0000000003393000-memory.dmp	upx
behavioral2/memory/4244-141-0x0000000004B00000-0x0000000005B33000-memory.dmp	upx
behavioral2/memory/4244-144-0x0000000004B00000-0x0000000005B33000-memory.dmp	upx
behavioral2/memory/4244-145-0x0000000004B00000-0x0000000005B33000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

Au_.exe

pid process

4244 Au_.exe

pid	process
4244	Au_.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Au_.exeebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe

Drops file in Program Files directory 11 IoCs

Processes:

Au_.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	Au_.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	Au_.exe

Drops file in Windows directory 1 IoCs

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3488 4628 WerFault.exe netsh.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe

pid	pid_target	process	target process
3488	4628	WerFault.exe	netsh.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

pid	process
4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe
4244	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	pid	process
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe
Token: SeDebugPrivilege	4244	Au_.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	pid	process	target process
PID 4384 wrote to memory of 3060	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	netsh.exe
PID 4384 wrote to memory of 3060	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	netsh.exe
PID 4384 wrote to memory of 3060	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	netsh.exe
PID 4384 wrote to memory of 4244	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	Au_.exe
PID 4384 wrote to memory of 4244	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	Au_.exe
PID 4384 wrote to memory of 4244	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	Au_.exe
PID 4384 wrote to memory of 800	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	fontdrvhost.exe
PID 4384 wrote to memory of 804	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	fontdrvhost.exe
PID 4384 wrote to memory of 64	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	dwm.exe
PID 4384 wrote to memory of 2304	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	sihost.exe
PID 4384 wrote to memory of 2328	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	svchost.exe
PID 4384 wrote to memory of 2432	4384	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe	taskhostw.exe
PID 4244 wrote to memory of 4628	4244	Au_.exe	netsh.exe
PID 4244 wrote to memory of 4628	4244	Au_.exe	netsh.exe
PID 4244 wrote to memory of 4628	4244	Au_.exe	netsh.exe
PID 4244 wrote to memory of 800	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 804	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 64	4244	Au_.exe	dwm.exe
PID 4244 wrote to memory of 2304	4244	Au_.exe	sihost.exe
PID 4244 wrote to memory of 2328	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 2432	4244	Au_.exe	taskhostw.exe
PID 4244 wrote to memory of 3040	4244	Au_.exe	Explorer.EXE
PID 4244 wrote to memory of 2708	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 3228	4244	Au_.exe	DllHost.exe
PID 4244 wrote to memory of 3324	4244	Au_.exe	StartMenuExperienceHost.exe
PID 4244 wrote to memory of 3392	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 3480	4244	Au_.exe	SearchApp.exe
PID 4244 wrote to memory of 3788	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 4768	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 4628	4244	Au_.exe	netsh.exe
PID 4244 wrote to memory of 4628	4244	Au_.exe	netsh.exe
PID 4244 wrote to memory of 800	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 804	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 64	4244	Au_.exe	dwm.exe
PID 4244 wrote to memory of 2304	4244	Au_.exe	sihost.exe
PID 4244 wrote to memory of 2328	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 2432	4244	Au_.exe	taskhostw.exe
PID 4244 wrote to memory of 3040	4244	Au_.exe	Explorer.EXE
PID 4244 wrote to memory of 2708	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 3228	4244	Au_.exe	DllHost.exe
PID 4244 wrote to memory of 3324	4244	Au_.exe	StartMenuExperienceHost.exe
PID 4244 wrote to memory of 3392	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 3480	4244	Au_.exe	SearchApp.exe
PID 4244 wrote to memory of 3788	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 4768	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 800	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 804	4244	Au_.exe	fontdrvhost.exe
PID 4244 wrote to memory of 64	4244	Au_.exe	dwm.exe
PID 4244 wrote to memory of 2304	4244	Au_.exe	sihost.exe
PID 4244 wrote to memory of 2328	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 2432	4244	Au_.exe	taskhostw.exe
PID 4244 wrote to memory of 3040	4244	Au_.exe	Explorer.EXE
PID 4244 wrote to memory of 2708	4244	Au_.exe	svchost.exe
PID 4244 wrote to memory of 3228	4244	Au_.exe	DllHost.exe
PID 4244 wrote to memory of 3324	4244	Au_.exe	StartMenuExperienceHost.exe
PID 4244 wrote to memory of 3392	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 3480	4244	Au_.exe	SearchApp.exe
PID 4244 wrote to memory of 3788	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 4768	4244	Au_.exe	RuntimeBroker.exe
PID 4244 wrote to memory of 4540	4244	Au_.exe	NOTEPAD.EXE
PID 4244 wrote to memory of 4540	4244	Au_.exe	NOTEPAD.EXE
PID 4244 wrote to memory of 4540	4244	Au_.exe	NOTEPAD.EXE
PID 4244 wrote to memory of 4540	4244	Au_.exe	NOTEPAD.EXE
PID 4244 wrote to memory of 800	4244	Au_.exe	fontdrvhost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exeAu_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2708

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4384
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4244
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode disable
      4⤵
      Modifies Windows Firewall
      PID:4628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 80
        5⤵
        Program crash
        
        PID:3488
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE"
      4⤵
      PID:1852

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2328

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2304

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4628 -ip 4628
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshA6F5.tmp\Processes.dll

Filesize
35KB

MD5
53c49f56c890b3fc52318a0342008813

SHA1
45ad45f8c3ce765a96f8228f7038feb7db114c23

SHA256
48e2706c457b9d91fd36d07e20c6130864a16763b33f78c8dd8282c85b7eb3af

SHA512
7eb4c146ce9ccba47d489d8221ecba8a8a37681a27c22228aa52f56116cb3d4f726cb0c85c2448a7ef300f02abf12d1e03ca0f3b827958492983c9cd69e8c9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
170KB

MD5
43c5487e528ec3952a7d429b1a37a1e6

SHA1
73cb91e30a1ebeabd209916f5337ff65d9f6286d

SHA256
ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f

SHA512
bf41b7d04ecac05e3624306e315239166b5004126c50b7fc5c83d6cb68f25588fc9cf82f0f7c3ba3efc68f6a44c24ba12872e5f5b93580ddf92579a090e47224

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
170KB

MD5
43c5487e528ec3952a7d429b1a37a1e6

SHA1
73cb91e30a1ebeabd209916f5337ff65d9f6286d

SHA256
ebb4bb58bc0f9a6eb501fea32f4216698670666d4cd450a4095edad6d624090f

SHA512
bf41b7d04ecac05e3624306e315239166b5004126c50b7fc5c83d6cb68f25588fc9cf82f0f7c3ba3efc68f6a44c24ba12872e5f5b93580ddf92579a090e47224

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
1010d05202a7a497393eefd7a03c76f2

SHA1
c73ebd0724703ea3d189873ad5f502fc5e93c620

SHA256
96f47513f3d7ff6940bad02a213acc54f0fe7e2ff5443037d03653caf5352f88

SHA512
98ed3fe6ef342f42bcf79c23dc65fd1cdefcdae912435614ed4a04a0ac8cebc5f9040c3c519a3c5a6a4929f3b17dc2e54aa37c158e9c560c71a68ddd32609b66

Download Submit
memory/1852-157-0x0000000000ED0000-0x0000000000EE7000-memory.dmp

Filesize
92KB

Download
memory/1852-156-0x0000000000000000-mapping.dmp

Download
memory/2256-151-0x0000000001290000-0x00000000012A7000-memory.dmp

Filesize
92KB

Download
memory/2256-150-0x0000000000000000-mapping.dmp

Download
memory/3060-133-0x0000000000000000-mapping.dmp

Download
memory/3800-155-0x0000000000990000-0x00000000009A7000-memory.dmp

Filesize
92KB

Download
memory/3800-154-0x0000000000000000-mapping.dmp

Download
memory/4132-148-0x0000000000000000-mapping.dmp

Download
memory/4132-149-0x0000000000F10000-0x0000000000F27000-memory.dmp

Filesize
92KB

Download
memory/4244-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4244-141-0x0000000004B00000-0x0000000005B33000-memory.dmp

Filesize
16.2MB

Download
memory/4244-158-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4244-145-0x0000000004B00000-0x0000000005B33000-memory.dmp

Filesize
16.2MB

Download
memory/4244-144-0x0000000004B00000-0x0000000005B33000-memory.dmp

Filesize
16.2MB

Download
memory/4244-134-0x0000000000000000-mapping.dmp

Download
memory/4384-132-0x0000000002360000-0x0000000003393000-memory.dmp

Filesize
16.2MB

Download
memory/4384-140-0x0000000002360000-0x0000000003393000-memory.dmp

Filesize
16.2MB

Download
memory/4384-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4540-146-0x0000000000000000-mapping.dmp

Download
memory/4540-147-0x0000000000690000-0x00000000006A7000-memory.dmp

Filesize
92KB

Download
memory/4628-143-0x0000000000000000-mapping.dmp

Download
memory/5028-152-0x0000000000000000-mapping.dmp

Download
memory/5028-153-0x0000000000830000-0x0000000000847000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads