Analysis
-
max time kernel
147s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Packed.Win32.Salpack.dll
Resource
win7-20240221-en
General
-
Target
Packed.Win32.Salpack.dll
-
Size
120KB
-
MD5
d1aa87b843048ddaaa60250a8d2356ee
-
SHA1
99193bc74f0b9450211d78902a7b281aa45f45fe
-
SHA256
9cba23e62607106638fbefce00cebfd267791bca3ac8289d7ec5ec2a346d0c28
-
SHA512
fd885290957f4186ce12c536fa6b4b46890f172d52703bf8fc84dd5b03bae4336b429521f51baf335bd2c3eacc14159dc45f676eae1e9c97d2db096b51d8aa5c
-
SSDEEP
3072:70IxCoyignbh6wL9cjPIR7axm3Bg5MDzZr4yD7a:3xCoyPbhJatm32YVz7a
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b054.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57d060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57d060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b054.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b054.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d060.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
resource yara_rule behavioral2/memory/2536-6-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-8-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-9-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-13-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-17-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-28-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-29-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-30-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-40-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-41-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-42-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-43-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-44-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-45-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-54-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-55-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-56-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-60-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/2536-61-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-85-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-87-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-88-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-89-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-90-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-91-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1416-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral2/memory/2536-6-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-8-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-9-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-13-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-17-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-28-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-29-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1416-39-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/2536-30-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-40-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-41-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-42-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-43-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-44-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-45-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-54-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-55-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-56-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-60-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-61-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/2536-83-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1220-84-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1416-85-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-87-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-88-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-89-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-90-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-91-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX behavioral2/memory/1416-113-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1416-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2536 e57b054.exe 1220 e57b43c.exe 1416 e57d060.exe -
resource yara_rule behavioral2/memory/2536-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-13-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-17-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-28-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-30-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-42-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-43-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-44-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-45-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-54-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-55-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-56-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2536-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1416-85-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-87-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-88-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-89-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-90-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-91-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/1416-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57d060.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b054.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b054.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b054.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e57b054.exe File opened (read-only) \??\G: e57b054.exe File opened (read-only) \??\H: e57b054.exe File opened (read-only) \??\I: e57b054.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57b268 e57b054.exe File opened for modification C:\Windows\SYSTEM.INI e57b054.exe File created C:\Windows\e5811ed e57d060.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2536 e57b054.exe 2536 e57b054.exe 2536 e57b054.exe 2536 e57b054.exe 1416 e57d060.exe 1416 e57d060.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe Token: SeDebugPrivilege 2536 e57b054.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4292 4972 rundll32.exe 86 PID 4972 wrote to memory of 4292 4972 rundll32.exe 86 PID 4972 wrote to memory of 4292 4972 rundll32.exe 86 PID 4292 wrote to memory of 2536 4292 rundll32.exe 89 PID 4292 wrote to memory of 2536 4292 rundll32.exe 89 PID 4292 wrote to memory of 2536 4292 rundll32.exe 89 PID 2536 wrote to memory of 776 2536 e57b054.exe 8 PID 2536 wrote to memory of 784 2536 e57b054.exe 9 PID 2536 wrote to memory of 60 2536 e57b054.exe 12 PID 2536 wrote to memory of 2496 2536 e57b054.exe 76 PID 2536 wrote to memory of 2524 2536 e57b054.exe 73 PID 2536 wrote to memory of 2816 2536 e57b054.exe 70 PID 2536 wrote to memory of 3520 2536 e57b054.exe 46 PID 2536 wrote to memory of 3672 2536 e57b054.exe 45 PID 2536 wrote to memory of 3868 2536 e57b054.exe 44 PID 2536 wrote to memory of 4008 2536 e57b054.exe 42 PID 2536 wrote to memory of 4080 2536 e57b054.exe 43 PID 2536 wrote to memory of 3312 2536 e57b054.exe 68 PID 2536 wrote to memory of 4192 2536 e57b054.exe 67 PID 2536 wrote to memory of 1064 2536 e57b054.exe 55 PID 2536 wrote to memory of 3500 2536 e57b054.exe 54 PID 2536 wrote to memory of 1524 2536 e57b054.exe 75 PID 2536 wrote to memory of 4872 2536 e57b054.exe 74 PID 2536 wrote to memory of 4972 2536 e57b054.exe 84 PID 2536 wrote to memory of 4292 2536 e57b054.exe 86 PID 2536 wrote to memory of 4292 2536 e57b054.exe 86 PID 2536 wrote to memory of 4160 2536 e57b054.exe 87 PID 2536 wrote to memory of 1708 2536 e57b054.exe 88 PID 4292 wrote to memory of 1220 4292 rundll32.exe 90 PID 4292 wrote to memory of 1220 4292 rundll32.exe 90 PID 4292 wrote to memory of 1220 4292 rundll32.exe 90 PID 4292 wrote to memory of 1416 4292 rundll32.exe 91 PID 4292 wrote to memory of 1416 4292 rundll32.exe 91 PID 4292 wrote to memory of 1416 4292 rundll32.exe 91 PID 2536 wrote to memory of 776 2536 e57b054.exe 8 PID 2536 wrote to memory of 784 2536 e57b054.exe 9 PID 2536 wrote to memory of 60 2536 e57b054.exe 12 PID 2536 wrote to memory of 2496 2536 e57b054.exe 76 PID 2536 wrote to memory of 2524 2536 e57b054.exe 73 PID 2536 wrote to memory of 2816 2536 e57b054.exe 70 PID 2536 wrote to memory of 3520 2536 e57b054.exe 46 PID 2536 wrote to memory of 3672 2536 e57b054.exe 45 PID 2536 wrote to memory of 3868 2536 e57b054.exe 44 PID 2536 wrote to memory of 4008 2536 e57b054.exe 42 PID 2536 wrote to memory of 4080 2536 e57b054.exe 43 PID 2536 wrote to memory of 3312 2536 e57b054.exe 68 PID 2536 wrote to memory of 4192 2536 e57b054.exe 67 PID 2536 wrote to memory of 1064 2536 e57b054.exe 55 PID 2536 wrote to memory of 3500 2536 e57b054.exe 54 PID 2536 wrote to memory of 1524 2536 e57b054.exe 75 PID 2536 wrote to memory of 4872 2536 e57b054.exe 74 PID 2536 wrote to memory of 4160 2536 e57b054.exe 87 PID 2536 wrote to memory of 1708 2536 e57b054.exe 88 PID 2536 wrote to memory of 1220 2536 e57b054.exe 90 PID 2536 wrote to memory of 1220 2536 e57b054.exe 90 PID 2536 wrote to memory of 1416 2536 e57b054.exe 91 PID 2536 wrote to memory of 1416 2536 e57b054.exe 91 PID 1416 wrote to memory of 776 1416 e57d060.exe 8 PID 1416 wrote to memory of 784 1416 e57d060.exe 9 PID 1416 wrote to memory of 60 1416 e57d060.exe 12 PID 1416 wrote to memory of 2496 1416 e57d060.exe 76 PID 1416 wrote to memory of 2524 1416 e57d060.exe 73 PID 1416 wrote to memory of 2816 1416 e57d060.exe 70 PID 1416 wrote to memory of 3520 1416 e57d060.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57d060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b054.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4080
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\e57b054.exeC:\Users\Admin\AppData\Local\Temp\e57b054.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\e57b43c.exeC:\Users\Admin\AppData\Local\Temp\e57b43c.exe4⤵
- Executes dropped EXE
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\e57d060.exeC:\Users\Admin\AppData\Local\Temp\e57d060.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3500
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3312
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2524
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1524
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4160
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5caf5df77dd351caf192c62df01558c5f
SHA123019aecb3f2825c43553c2cb8737cb488933bd7
SHA256c1b3f78e6f24cced31d35f064ec9401160491f158ab8a88c42bbf39153c1e73b
SHA512d223855ad608ed25c501cd21bc939a8588a8845e30ba9ddaac352cb5a87582eb66e02b1540c343c072bae50b14187dce02e26bf7eb407d8de031f9bc36e51d16
-
Filesize
257B
MD5635e78df1b3302774a6740f53e35567e
SHA19ee71222d7d9aaeff23857e7efc209eac59ec521
SHA256866c1f09a2ad781c12dd7a4ee25d0054c9b4b3a6958a851280933cfbc16b54a2
SHA512a9c25e2ff0340fe28d98ca735a57d11a8a1acbd661463aec2f3549b4f7542cefdfa6aaae9d5f863beb0d17430c6ca81ec3fdbc1cf18ea6877d2c73c562dbfd25