Analysis
-
max time kernel
33s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 08:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Packed.Win32.Salpack.dll
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
General
-
Target
Packed.Win32.Salpack.dll
-
Size
120KB
-
MD5
5324155a700251429e47c67235c2fd37
-
SHA1
9014b9914d611b4fa6e93367bb34f32c6d950b2c
-
SHA256
6d44abc2b493ea2cbdf249aac8b15cfbc88f2a5526b161a3fd1174ede2c96beb
-
SHA512
ac3a4c1b1e45ec4efa17e1f876a3ad0b28f712e72affd2d5eda474bc733f5c3279a8b8fc83928e353bd3cefeeeb488ff1451b479083fcbce662f0a52c34359da
-
SSDEEP
3072:y3QEskaP3ak0PcWMUIylagrH3O+eYjPT:QQNPKk0H0ylRrX8YjP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57519a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57519a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5786c4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5786c4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57519a.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
resource yara_rule behavioral2/memory/4864-6-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-8-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-9-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-13-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-21-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-29-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-30-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-31-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-32-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-33-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-35-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-36-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-41-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-42-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-44-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-52-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-53-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-55-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-63-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-65-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4864-67-0x00000000007F0000-0x00000000018AA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3168-91-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3168-93-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3168-94-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3168-95-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/3168-144-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 29 IoCs
resource yara_rule behavioral2/memory/4864-6-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-8-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-9-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-13-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-21-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-29-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-30-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-31-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-32-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-33-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-35-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-36-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-41-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-42-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-44-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-52-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-53-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-55-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-63-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-65-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4864-67-0x00000000007F0000-0x00000000018AA000-memory.dmp UPX behavioral2/memory/4880-90-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4864-87-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3168-91-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3168-93-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3168-94-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3168-95-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/3168-143-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/3168-144-0x00000000007B0000-0x000000000186A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 4864 e57519a.exe 4880 e5754c7.exe 3168 e5786c4.exe -
resource yara_rule behavioral2/memory/4864-6-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-8-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-9-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-13-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-21-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-29-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-30-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-31-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-32-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-33-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-35-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-36-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-41-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-42-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-44-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-52-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-53-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-55-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-63-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-65-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4864-67-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/3168-91-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3168-93-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3168-94-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3168-95-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/3168-144-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5786c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57519a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57519a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5786c4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5786c4.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57519a.exe File opened (read-only) \??\G: e5786c4.exe File opened (read-only) \??\H: e5786c4.exe File opened (read-only) \??\H: e57519a.exe File opened (read-only) \??\G: e57519a.exe File opened (read-only) \??\I: e57519a.exe File opened (read-only) \??\K: e57519a.exe File opened (read-only) \??\E: e5786c4.exe File opened (read-only) \??\E: e57519a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5752a4 e57519a.exe File opened for modification C:\Windows\SYSTEM.INI e57519a.exe File created C:\Windows\e57af1c e5786c4.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4864 e57519a.exe 4864 e57519a.exe 4864 e57519a.exe 4864 e57519a.exe 3168 e5786c4.exe 3168 e5786c4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe Token: SeDebugPrivilege 4864 e57519a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4700 wrote to memory of 3568 4700 rundll32.exe 50 PID 4700 wrote to memory of 3568 4700 rundll32.exe 50 PID 4700 wrote to memory of 3568 4700 rundll32.exe 50 PID 3568 wrote to memory of 4864 3568 rundll32.exe 88 PID 3568 wrote to memory of 4864 3568 rundll32.exe 88 PID 3568 wrote to memory of 4864 3568 rundll32.exe 88 PID 4864 wrote to memory of 796 4864 e57519a.exe 6 PID 4864 wrote to memory of 804 4864 e57519a.exe 84 PID 4864 wrote to memory of 1020 4864 e57519a.exe 7 PID 4864 wrote to memory of 2980 4864 e57519a.exe 54 PID 4864 wrote to memory of 2000 4864 e57519a.exe 52 PID 4864 wrote to memory of 1428 4864 e57519a.exe 16 PID 4864 wrote to memory of 3440 4864 e57519a.exe 47 PID 4864 wrote to memory of 3556 4864 e57519a.exe 46 PID 4864 wrote to memory of 3772 4864 e57519a.exe 45 PID 4864 wrote to memory of 3864 4864 e57519a.exe 44 PID 4864 wrote to memory of 3964 4864 e57519a.exe 43 PID 4864 wrote to memory of 4048 4864 e57519a.exe 41 PID 4864 wrote to memory of 4128 4864 e57519a.exe 40 PID 4864 wrote to memory of 4740 4864 e57519a.exe 28 PID 4864 wrote to memory of 3888 4864 e57519a.exe 27 PID 4864 wrote to memory of 536 4864 e57519a.exe 20 PID 4864 wrote to memory of 2496 4864 e57519a.exe 19 PID 4864 wrote to memory of 2388 4864 e57519a.exe 18 PID 4864 wrote to memory of 4700 4864 e57519a.exe 29 PID 4864 wrote to memory of 3568 4864 e57519a.exe 50 PID 4864 wrote to memory of 3568 4864 e57519a.exe 50 PID 3568 wrote to memory of 4880 3568 rundll32.exe 89 PID 3568 wrote to memory of 4880 3568 rundll32.exe 89 PID 3568 wrote to memory of 4880 3568 rundll32.exe 89 PID 4864 wrote to memory of 796 4864 e57519a.exe 6 PID 4864 wrote to memory of 804 4864 e57519a.exe 84 PID 4864 wrote to memory of 1020 4864 e57519a.exe 7 PID 4864 wrote to memory of 2980 4864 e57519a.exe 54 PID 4864 wrote to memory of 2000 4864 e57519a.exe 52 PID 4864 wrote to memory of 1428 4864 e57519a.exe 16 PID 4864 wrote to memory of 3440 4864 e57519a.exe 47 PID 4864 wrote to memory of 3556 4864 e57519a.exe 46 PID 4864 wrote to memory of 3772 4864 e57519a.exe 45 PID 4864 wrote to memory of 3864 4864 e57519a.exe 44 PID 4864 wrote to memory of 3964 4864 e57519a.exe 43 PID 4864 wrote to memory of 4048 4864 e57519a.exe 41 PID 4864 wrote to memory of 4128 4864 e57519a.exe 40 PID 4864 wrote to memory of 4740 4864 e57519a.exe 28 PID 4864 wrote to memory of 3888 4864 e57519a.exe 27 PID 4864 wrote to memory of 536 4864 e57519a.exe 20 PID 4864 wrote to memory of 2496 4864 e57519a.exe 19 PID 4864 wrote to memory of 2388 4864 e57519a.exe 18 PID 4864 wrote to memory of 4700 4864 e57519a.exe 29 PID 4864 wrote to memory of 4880 4864 e57519a.exe 89 PID 4864 wrote to memory of 4880 4864 e57519a.exe 89 PID 4864 wrote to memory of 4760 4864 e57519a.exe 93 PID 4864 wrote to memory of 620 4864 e57519a.exe 94 PID 3568 wrote to memory of 3168 3568 rundll32.exe 95 PID 3568 wrote to memory of 3168 3568 rundll32.exe 95 PID 3568 wrote to memory of 3168 3568 rundll32.exe 95 PID 3168 wrote to memory of 796 3168 e5786c4.exe 6 PID 3168 wrote to memory of 804 3168 e5786c4.exe 84 PID 3168 wrote to memory of 1020 3168 e5786c4.exe 7 PID 3168 wrote to memory of 2980 3168 e5786c4.exe 54 PID 3168 wrote to memory of 2000 3168 e5786c4.exe 52 PID 3168 wrote to memory of 1428 3168 e5786c4.exe 16 PID 3168 wrote to memory of 3440 3168 e5786c4.exe 47 PID 3168 wrote to memory of 3556 3168 e5786c4.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57519a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5786c4.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1428
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2388
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2496
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:536
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4740
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\e57519a.exeC:\Users\Admin\AppData\Local\Temp\e57519a.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\e5754c7.exeC:\Users\Admin\AppData\Local\Temp\e5754c7.exe3⤵
- Executes dropped EXE
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\e5786c4.exeC:\Users\Admin\AppData\Local\Temp\e5786c4.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2000
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2980
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4760
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:620
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5731f5d06bcf2eb611c04be404b6091e4
SHA1de1605e9ecc15c56471a17a230352d3b3fcccd8b
SHA2566f97bf93ddd207d4f175e49211c37ff7d875192c8850395f095d0d930c7a8457
SHA512930382907d1403e21ec34f0dc5aa03c50558f2da31105452d885baa3c6685b90aabdcbbaf33436d6224135bf21d8c5ac9f82b84ecc0b2c203ffb0b2aa5549a9b
-
Filesize
257B
MD5bc71b05db15d5f9139acc609e50f95a2
SHA1ac023525c68ab7619bfa623253f8980220614c19
SHA25651643661ba52f9defb9448f9f5dbefa81ce0067a5900dacff036ef907b416c20
SHA512301b1ba0d36903fb0711f640bf8653f522f8353ddebd32dced5546ee205fd2e20094cbacaf0a69eda5f11809a6c036cfc978d70153f5580b2a8ede2b0c709bec
-
Filesize
128KB
MD541bb879a504e904e185253f8aecb1798
SHA1b857a298f06f0953cafee2be1ced29722c6ea9df
SHA2564ee07c452e546fcd1568810b3832cf52a4846b7a693410521d1f72372324085f
SHA512d165f192e71f16f88726505a9ab85236abe4db7921e1a8fca9cf977280db9f7a852423e2307c309365f62b589fb71cbf3f89580408760a59b9c41ac7ee698ff9