Analysis
-
max time kernel
104s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
Packed.Win32.Salpack.dll
Resource
win7-20240221-en
General
-
Target
Packed.Win32.Salpack.dll
-
Size
120KB
-
MD5
fb8b3e5be92b6d3939a2481735fe6d51
-
SHA1
0212fcc74a64fb93e3c3b5481ed5595259b67b70
-
SHA256
e438d0a0631047f8f62fa69bd4dc07f6c4f0f1cac554b7ba6d166c0d5cf6f2e8
-
SHA512
22a983cb6af1fd01cc012ba76747629b4a037ab2c2d720babd22af1fc92e42a131f57532aa3449ce0ad5f0d4e8ebf75d94dc438ecac3c41e327caf7d632e6a0f
-
SSDEEP
1536:wOJRalekPiLKM+88m+xJMVJxKgJvhmnJTPb8QIPal60GkOPfOQZ0pYxJDac3280P:VapKw924noBThzJDZN0P
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a7aa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a7aa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a7aa.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
resource yara_rule behavioral2/memory/1844-6-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-8-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-9-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-14-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-23-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-30-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-31-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-32-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-33-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-34-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-35-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-36-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-41-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-50-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-51-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-52-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-58-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-59-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/1844-60-0x00000000007E0000-0x000000000189A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-82-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-84-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-85-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-86-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-87-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-88-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-92-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-98-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-99-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-100-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral2/memory/4728-118-0x00000000007B0000-0x000000000186A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 35 IoCs
resource yara_rule behavioral2/memory/1844-5-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1844-6-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-8-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-9-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-14-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/4600-24-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1844-23-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-30-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-31-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-32-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-33-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-34-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-35-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-36-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-41-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/4728-49-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/1844-50-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-51-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-52-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-58-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-59-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-60-0x00000000007E0000-0x000000000189A000-memory.dmp UPX behavioral2/memory/1844-81-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4728-82-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-84-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-85-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-86-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-87-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-88-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-92-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-98-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-99-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-100-0x00000000007B0000-0x000000000186A000-memory.dmp UPX behavioral2/memory/4728-117-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral2/memory/4728-118-0x00000000007B0000-0x000000000186A000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 1844 e576dfc.exe 4600 e5770ea.exe 4728 e57a7aa.exe -
resource yara_rule behavioral2/memory/1844-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-14-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-23-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-30-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-31-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-33-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-34-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-50-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-51-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-52-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1844-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4728-82-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-84-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-85-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-86-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-87-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-88-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-92-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-98-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-99-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-100-0x00000000007B0000-0x000000000186A000-memory.dmp upx behavioral2/memory/4728-118-0x00000000007B0000-0x000000000186A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a7aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a7aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576dfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a7aa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a7aa.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e576dfc.exe File opened (read-only) \??\G: e576dfc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57cfe3 e57a7aa.exe File created C:\Windows\e576f54 e576dfc.exe File opened for modification C:\Windows\SYSTEM.INI e576dfc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1844 e576dfc.exe 1844 e576dfc.exe 1844 e576dfc.exe 1844 e576dfc.exe 4728 e57a7aa.exe 4728 e57a7aa.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe Token: SeDebugPrivilege 1844 e576dfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2844 2664 rundll32.exe 89 PID 2664 wrote to memory of 2844 2664 rundll32.exe 89 PID 2664 wrote to memory of 2844 2664 rundll32.exe 89 PID 2844 wrote to memory of 1844 2844 rundll32.exe 91 PID 2844 wrote to memory of 1844 2844 rundll32.exe 91 PID 2844 wrote to memory of 1844 2844 rundll32.exe 91 PID 1844 wrote to memory of 776 1844 e576dfc.exe 5 PID 1844 wrote to memory of 784 1844 e576dfc.exe 13 PID 1844 wrote to memory of 320 1844 e576dfc.exe 6 PID 1844 wrote to memory of 2624 1844 e576dfc.exe 63 PID 1844 wrote to memory of 2656 1844 e576dfc.exe 62 PID 1844 wrote to memory of 2928 1844 e576dfc.exe 57 PID 1844 wrote to memory of 3464 1844 e576dfc.exe 53 PID 1844 wrote to memory of 3572 1844 e576dfc.exe 52 PID 1844 wrote to memory of 3784 1844 e576dfc.exe 51 PID 1844 wrote to memory of 3908 1844 e576dfc.exe 50 PID 1844 wrote to memory of 3972 1844 e576dfc.exe 22 PID 1844 wrote to memory of 4064 1844 e576dfc.exe 49 PID 1844 wrote to memory of 4192 1844 e576dfc.exe 48 PID 1844 wrote to memory of 476 1844 e576dfc.exe 46 PID 1844 wrote to memory of 3980 1844 e576dfc.exe 24 PID 1844 wrote to memory of 3128 1844 e576dfc.exe 28 PID 1844 wrote to memory of 1152 1844 e576dfc.exe 27 PID 1844 wrote to memory of 1680 1844 e576dfc.exe 26 PID 1844 wrote to memory of 2664 1844 e576dfc.exe 29 PID 1844 wrote to memory of 2844 1844 e576dfc.exe 89 PID 1844 wrote to memory of 2844 1844 e576dfc.exe 89 PID 1844 wrote to memory of 3148 1844 e576dfc.exe 90 PID 2844 wrote to memory of 4600 2844 rundll32.exe 92 PID 2844 wrote to memory of 4600 2844 rundll32.exe 92 PID 2844 wrote to memory of 4600 2844 rundll32.exe 92 PID 1844 wrote to memory of 776 1844 e576dfc.exe 5 PID 1844 wrote to memory of 784 1844 e576dfc.exe 13 PID 1844 wrote to memory of 320 1844 e576dfc.exe 6 PID 1844 wrote to memory of 2624 1844 e576dfc.exe 63 PID 1844 wrote to memory of 2656 1844 e576dfc.exe 62 PID 1844 wrote to memory of 2928 1844 e576dfc.exe 57 PID 1844 wrote to memory of 3464 1844 e576dfc.exe 53 PID 1844 wrote to memory of 3572 1844 e576dfc.exe 52 PID 1844 wrote to memory of 3784 1844 e576dfc.exe 51 PID 1844 wrote to memory of 3908 1844 e576dfc.exe 50 PID 1844 wrote to memory of 3972 1844 e576dfc.exe 22 PID 1844 wrote to memory of 4064 1844 e576dfc.exe 49 PID 1844 wrote to memory of 4192 1844 e576dfc.exe 48 PID 1844 wrote to memory of 476 1844 e576dfc.exe 46 PID 1844 wrote to memory of 3980 1844 e576dfc.exe 24 PID 1844 wrote to memory of 3128 1844 e576dfc.exe 28 PID 1844 wrote to memory of 1152 1844 e576dfc.exe 27 PID 1844 wrote to memory of 1680 1844 e576dfc.exe 26 PID 1844 wrote to memory of 2664 1844 e576dfc.exe 29 PID 1844 wrote to memory of 3148 1844 e576dfc.exe 90 PID 1844 wrote to memory of 4600 1844 e576dfc.exe 92 PID 1844 wrote to memory of 4600 1844 e576dfc.exe 92 PID 1844 wrote to memory of 5100 1844 e576dfc.exe 93 PID 1844 wrote to memory of 2572 1844 e576dfc.exe 94 PID 1844 wrote to memory of 4900 1844 e576dfc.exe 95 PID 2844 wrote to memory of 4728 2844 rundll32.exe 97 PID 2844 wrote to memory of 4728 2844 rundll32.exe 97 PID 2844 wrote to memory of 4728 2844 rundll32.exe 97 PID 4728 wrote to memory of 776 4728 e57a7aa.exe 5 PID 4728 wrote to memory of 784 4728 e57a7aa.exe 13 PID 4728 wrote to memory of 320 4728 e57a7aa.exe 6 PID 4728 wrote to memory of 2624 4728 e57a7aa.exe 63 PID 4728 wrote to memory of 2656 4728 e57a7aa.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576dfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a7aa.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:320
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3980
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1680
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1152
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3128
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\e576dfc.exeC:\Users\Admin\AppData\Local\Temp\e576dfc.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\e5770ea.exeC:\Users\Admin\AppData\Local\Temp\e5770ea.exe3⤵
- Executes dropped EXE
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\e57a7aa.exeC:\Users\Admin\AppData\Local\Temp\e57a7aa.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4728
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4064
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2624
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2572
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:4900
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD52dbaf6c9322694eed36f5db287e977b5
SHA19009b4e7ef9e7f1f012bff8c2a6beb311ace94c4
SHA256cf3f29025570deb7227b4cd4b8a88d49c3987f0abaa26d04581bec3fc1957db3
SHA5128347e8ef0c4ba69329e0f27af10bd71858692f0696abfde1b8e32d1c50ad49049b7df9f5ffbc5d3f88d489337e8a464d309e7c845775b2d0f131835d3bc54c71
-
Filesize
257B
MD5f9ede2bf24098023078ad72afa9d2e7b
SHA1449b69ea0adb0958cd84ada231caedce5e89f5d3
SHA256d86161df67a6aa9d7fd28d0ac9a919a736c112e690fec2793fb59b4f4e45e838
SHA512fc0dc264d63eb74ec912275af7e09db4865436094be4761d7a1b32ac87ccf7f7c19614d318fe554f52f011a817e88942fedfc0989525fde8152918b3665bc744