Malware Analysis Report

2025-08-05 19:38

Sample ID 240229-kr4wbscb79
Target Packed.Win32.Salpack.e-6d44abc2b493ea2cbdf249aac8b15cfbc88f2a5526b161a3fd1174ede2c96beb
SHA256 6d44abc2b493ea2cbdf249aac8b15cfbc88f2a5526b161a3fd1174ede2c96beb
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d44abc2b493ea2cbdf249aac8b15cfbc88f2a5526b161a3fd1174ede2c96beb

Threat Level: Known bad

The file Packed.Win32.Salpack.e-6d44abc2b493ea2cbdf249aac8b15cfbc88f2a5526b161a3fd1174ede2c96beb was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

UAC bypass

Sality

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX dump on OEP (original entry point)

Windows security modification

UPX packed file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 08:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 08:50

Reported

2024-02-29 08:53

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f764921 C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
File created C:\Windows\f76b635 C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764827.exe
PID 2212 wrote to memory of 2012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764827.exe
PID 2212 wrote to memory of 2012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764827.exe
PID 2212 wrote to memory of 2012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764827.exe
PID 2012 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\taskhost.exe
PID 2012 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\Dwm.exe
PID 2012 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\Explorer.EXE
PID 2012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\DllHost.exe
PID 2012 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\rundll32.exe
PID 2012 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2212 wrote to memory of 2708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2212 wrote to memory of 2708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2212 wrote to memory of 2708 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2212 wrote to memory of 2892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe
PID 2212 wrote to memory of 2892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe
PID 2212 wrote to memory of 2892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe
PID 2212 wrote to memory of 2892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe
PID 2012 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\taskhost.exe
PID 2012 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\system32\Dwm.exe
PID 2012 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Windows\Explorer.EXE
PID 2012 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2012 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Users\Admin\AppData\Local\Temp\f765206.exe
PID 2012 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe
PID 2012 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f764827.exe C:\Users\Admin\AppData\Local\Temp\f7665f4.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7665f4.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Users\Admin\AppData\Local\Temp\f764827.exe

C:\Users\Admin\AppData\Local\Temp\f764827.exe

C:\Users\Admin\AppData\Local\Temp\f765206.exe

C:\Users\Admin\AppData\Local\Temp\f765206.exe

C:\Users\Admin\AppData\Local\Temp\f7665f4.exe

C:\Users\Admin\AppData\Local\Temp\f7665f4.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f764827.exe

MD5 731f5d06bcf2eb611c04be404b6091e4
SHA1 de1605e9ecc15c56471a17a230352d3b3fcccd8b
SHA256 6f97bf93ddd207d4f175e49211c37ff7d875192c8850395f095d0d930c7a8457
SHA512 930382907d1403e21ec34f0dc5aa03c50558f2da31105452d885baa3c6685b90aabdcbbaf33436d6224135bf21d8c5ac9f82b84ecc0b2c203ffb0b2aa5549a9b

memory/2012-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2212-10-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2212-8-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2212-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2012-12-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1124-16-0x0000000001B80000-0x0000000001B82000-memory.dmp

memory/2012-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2212-26-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2212-28-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2212-34-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2012-25-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2212-46-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2708-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2212-37-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2012-36-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-55-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2012-51-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-58-0x0000000001790000-0x0000000001791000-memory.dmp

memory/2012-57-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-59-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-61-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-62-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-63-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2212-72-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2212-74-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2212-78-0x0000000000110000-0x0000000000112000-memory.dmp

memory/2212-77-0x0000000000250000-0x0000000000262000-memory.dmp

memory/2892-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2012-80-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-81-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-83-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-84-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-87-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2708-96-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2708-98-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2012-97-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2892-106-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2892-109-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2012-103-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2012-135-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2708-134-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2012-136-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2892-138-0x0000000000910000-0x00000000019CA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8f9441a4ea82f183767bf8da21fa52ae
SHA1 3ae302e8b65a5ed8c6fb4482eb73996c7d4a69cb
SHA256 c129e8c60ee5c35516d45312babb786c822e039308a96ecf31b38f64dad760b0
SHA512 18ce9040ab61d5b17b4ba639b62f61c91f9aeedddc9b4b59327240f333fd5fe049d0e8fc7166197e029c226a8f5715c240525036bec5cf9858ce4a77410d9ac0

memory/2892-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2892-146-0x0000000000910000-0x00000000019CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 08:50

Reported

2024-02-29 08:53

Platform

win10v2004-20240226-en

Max time kernel

33s

Max time network

149s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5752a4 C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
File created C:\Windows\e57af1c C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 3568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57519a.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57519a.exe
PID 3568 wrote to memory of 4864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57519a.exe
PID 4864 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\fontdrvhost.exe
PID 4864 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\fontdrvhost.exe
PID 4864 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\dwm.exe
PID 4864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\sihost.exe
PID 4864 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\svchost.exe
PID 4864 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\taskhostw.exe
PID 4864 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\Explorer.EXE
PID 4864 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\svchost.exe
PID 4864 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\DllHost.exe
PID 4864 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4864 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4864 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4864 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\rundll32.exe
PID 4864 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SysWOW64\rundll32.exe
PID 3568 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5754c7.exe
PID 3568 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5754c7.exe
PID 3568 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5754c7.exe
PID 4864 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\fontdrvhost.exe
PID 4864 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\fontdrvhost.exe
PID 4864 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\dwm.exe
PID 4864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\sihost.exe
PID 4864 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\svchost.exe
PID 4864 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\taskhostw.exe
PID 4864 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\Explorer.EXE
PID 4864 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\svchost.exe
PID 4864 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\DllHost.exe
PID 4864 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4864 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4864 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4864 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4864 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\system32\rundll32.exe
PID 4864 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Users\Admin\AppData\Local\Temp\e5754c7.exe
PID 4864 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Users\Admin\AppData\Local\Temp\e5754c7.exe
PID 4864 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4864 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\e57519a.exe C:\Windows\System32\RuntimeBroker.exe
PID 3568 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5786c4.exe
PID 3568 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5786c4.exe
PID 3568 wrote to memory of 3168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5786c4.exe
PID 3168 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\fontdrvhost.exe
PID 3168 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\dwm.exe
PID 3168 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\sihost.exe
PID 3168 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\svchost.exe
PID 3168 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\taskhostw.exe
PID 3168 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\Explorer.EXE
PID 3168 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e5786c4.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57519a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5786c4.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Users\Admin\AppData\Local\Temp\e57519a.exe

C:\Users\Admin\AppData\Local\Temp\e57519a.exe

C:\Users\Admin\AppData\Local\Temp\e5754c7.exe

C:\Users\Admin\AppData\Local\Temp\e5754c7.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5786c4.exe

C:\Users\Admin\AppData\Local\Temp\e5786c4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3568-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57519a.exe

MD5 731f5d06bcf2eb611c04be404b6091e4
SHA1 de1605e9ecc15c56471a17a230352d3b3fcccd8b
SHA256 6f97bf93ddd207d4f175e49211c37ff7d875192c8850395f095d0d930c7a8457
SHA512 930382907d1403e21ec34f0dc5aa03c50558f2da31105452d885baa3c6685b90aabdcbbaf33436d6224135bf21d8c5ac9f82b84ecc0b2c203ffb0b2aa5549a9b

memory/4864-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4864-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3568-10-0x0000000000B10000-0x0000000000B12000-memory.dmp

memory/3568-11-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/4864-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3568-14-0x0000000000B10000-0x0000000000B12000-memory.dmp

memory/4864-13-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-23-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4864-20-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

memory/4864-21-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-29-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-30-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-31-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-32-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-33-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4880-38-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4880-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4880-40-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4864-41-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-42-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-44-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3568-48-0x0000000000B10000-0x0000000000B12000-memory.dmp

memory/4864-52-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-53-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-55-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-63-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-65-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-67-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4864-77-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4880-90-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4864-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3168-91-0x00000000007B0000-0x000000000186A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 bc71b05db15d5f9139acc609e50f95a2
SHA1 ac023525c68ab7619bfa623253f8980220614c19
SHA256 51643661ba52f9defb9448f9f5dbefa81ce0067a5900dacff036ef907b416c20
SHA512 301b1ba0d36903fb0711f640bf8653f522f8353ddebd32dced5546ee205fd2e20094cbacaf0a69eda5f11809a6c036cfc978d70153f5580b2a8ede2b0c709bec

memory/3168-93-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3168-94-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3168-95-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/3168-99-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/3168-106-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

C:\odt\office2016setup.exe

MD5 41bb879a504e904e185253f8aecb1798
SHA1 b857a298f06f0953cafee2be1ced29722c6ea9df
SHA256 4ee07c452e546fcd1568810b3832cf52a4846b7a693410521d1f72372324085f
SHA512 d165f192e71f16f88726505a9ab85236abe4db7921e1a8fca9cf977280db9f7a852423e2307c309365f62b589fb71cbf3f89580408760a59b9c41ac7ee698ff9

memory/3168-143-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3168-144-0x00000000007B0000-0x000000000186A000-memory.dmp