Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Packed.Win32.Salpack.dll
Resource
win7-20240221-en
General
-
Target
Packed.Win32.Salpack.dll
-
Size
120KB
-
MD5
d1aa87b843048ddaaa60250a8d2356ee
-
SHA1
99193bc74f0b9450211d78902a7b281aa45f45fe
-
SHA256
9cba23e62607106638fbefce00cebfd267791bca3ac8289d7ec5ec2a346d0c28
-
SHA512
fd885290957f4186ce12c536fa6b4b46890f172d52703bf8fc84dd5b03bae4336b429521f51baf335bd2c3eacc14159dc45f676eae1e9c97d2db096b51d8aa5c
-
SSDEEP
3072:70IxCoyignbh6wL9cjPIR7axm3Bg5MDzZr4yD7a:3xCoyPbhJatm32YVz7a
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f763939.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f763939.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761d70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761d70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761d70.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d70.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763939.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
resource yara_rule behavioral1/memory/2356-10-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-13-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-14-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-16-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-19-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-22-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-25-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-45-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-49-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-30-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-57-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-58-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-59-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-60-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-61-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-74-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-79-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-80-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-82-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-84-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-104-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-106-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2356-146-0x00000000005A0000-0x000000000165A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2604-153-0x00000000009C0000-0x0000000001A7A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2604-192-0x00000000009C0000-0x0000000001A7A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 29 IoCs
resource yara_rule behavioral1/memory/2356-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2356-10-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-13-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-14-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-16-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-19-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-22-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-25-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2580-46-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2356-45-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-49-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-30-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-57-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-58-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-59-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-60-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-61-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-74-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2604-78-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2356-79-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-80-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-82-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-84-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-104-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-106-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2356-146-0x00000000005A0000-0x000000000165A000-memory.dmp UPX behavioral1/memory/2604-153-0x00000000009C0000-0x0000000001A7A000-memory.dmp UPX behavioral1/memory/2604-192-0x00000000009C0000-0x0000000001A7A000-memory.dmp UPX behavioral1/memory/2604-193-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2356 f761d70.exe 2580 f762240.exe 2604 f763939.exe -
Loads dropped DLL 6 IoCs
pid Process 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe -
resource yara_rule behavioral1/memory/2356-10-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-13-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-14-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-16-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-19-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-22-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-25-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-45-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-49-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-30-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-57-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-58-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-59-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-60-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-61-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-74-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-79-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-80-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-82-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-84-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-104-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-106-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2356-146-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2604-153-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2604-192-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761d70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763939.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f763939.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763939.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763939.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f761d70.exe File opened (read-only) \??\G: f761d70.exe File opened (read-only) \??\H: f761d70.exe File opened (read-only) \??\L: f761d70.exe File opened (read-only) \??\Q: f761d70.exe File opened (read-only) \??\K: f761d70.exe File opened (read-only) \??\N: f761d70.exe File opened (read-only) \??\P: f761d70.exe File opened (read-only) \??\M: f761d70.exe File opened (read-only) \??\E: f761d70.exe File opened (read-only) \??\I: f761d70.exe File opened (read-only) \??\J: f761d70.exe File opened (read-only) \??\E: f763939.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f761e3a f761d70.exe File opened for modification C:\Windows\SYSTEM.INI f761d70.exe File created C:\Windows\f7674a3 f763939.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2356 f761d70.exe 2356 f761d70.exe 2604 f763939.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2356 f761d70.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe Token: SeDebugPrivilege 2604 f763939.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 1444 wrote to memory of 2012 1444 rundll32.exe 28 PID 2012 wrote to memory of 2356 2012 rundll32.exe 29 PID 2012 wrote to memory of 2356 2012 rundll32.exe 29 PID 2012 wrote to memory of 2356 2012 rundll32.exe 29 PID 2012 wrote to memory of 2356 2012 rundll32.exe 29 PID 2356 wrote to memory of 1120 2356 f761d70.exe 12 PID 2356 wrote to memory of 1176 2356 f761d70.exe 16 PID 2356 wrote to memory of 1248 2356 f761d70.exe 13 PID 2356 wrote to memory of 1072 2356 f761d70.exe 15 PID 2356 wrote to memory of 1444 2356 f761d70.exe 27 PID 2356 wrote to memory of 2012 2356 f761d70.exe 28 PID 2356 wrote to memory of 2012 2356 f761d70.exe 28 PID 2012 wrote to memory of 2580 2012 rundll32.exe 30 PID 2012 wrote to memory of 2580 2012 rundll32.exe 30 PID 2012 wrote to memory of 2580 2012 rundll32.exe 30 PID 2012 wrote to memory of 2580 2012 rundll32.exe 30 PID 2012 wrote to memory of 2604 2012 rundll32.exe 31 PID 2012 wrote to memory of 2604 2012 rundll32.exe 31 PID 2012 wrote to memory of 2604 2012 rundll32.exe 31 PID 2012 wrote to memory of 2604 2012 rundll32.exe 31 PID 2356 wrote to memory of 1120 2356 f761d70.exe 12 PID 2356 wrote to memory of 1176 2356 f761d70.exe 16 PID 2356 wrote to memory of 1248 2356 f761d70.exe 13 PID 2356 wrote to memory of 2580 2356 f761d70.exe 30 PID 2356 wrote to memory of 2580 2356 f761d70.exe 30 PID 2356 wrote to memory of 2604 2356 f761d70.exe 31 PID 2356 wrote to memory of 2604 2356 f761d70.exe 31 PID 2604 wrote to memory of 1120 2604 f763939.exe 12 PID 2604 wrote to memory of 1176 2604 f763939.exe 16 PID 2604 wrote to memory of 1248 2604 f763939.exe 13 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761d70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763939.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\f761d70.exeC:\Users\Admin\AppData\Local\Temp\f761d70.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\f762240.exeC:\Users\Admin\AppData\Local\Temp\f762240.exe4⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\f763939.exeC:\Users\Admin\AppData\Local\Temp\f763939.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1072
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5caf5df77dd351caf192c62df01558c5f
SHA123019aecb3f2825c43553c2cb8737cb488933bd7
SHA256c1b3f78e6f24cced31d35f064ec9401160491f158ab8a88c42bbf39153c1e73b
SHA512d223855ad608ed25c501cd21bc939a8588a8845e30ba9ddaac352cb5a87582eb66e02b1540c343c072bae50b14187dce02e26bf7eb407d8de031f9bc36e51d16
-
Filesize
257B
MD56a4b5a903a29fc207c0958399d957053
SHA1154701aa4525c2da67417e24d64550dabd188045
SHA2561d870296107db4e5514a59b38ed578cbd37d5d8919b2e42b7cc907a57e748974
SHA5127e8bd8557886409b5c84434c0d28136dad7aa4611c1da8323c091f2e36917eaae6f381ac4d7eb741de470d78d80ff3609bad9d0bd6e398883f41001e70492621